CVE-2026-40470

Name of the Vulnerable Software and Affected Versions hackage-server (affected versions not specified)

Description Stored Cross-Site Scripting (XSS) occurs because HTML and JavaScript files provided in source packages or via the documentation upload facility are served as-is on the main domain. This allows a malicious package maintainer to execute scripts in the browser of users with latent HTTP credentials. Such scripts can hijack sessions to upload packages or documentation, amend maintainers, or modify package metadata without user interaction. Additionally, attackers could present counterfeit login forms to steal credentials. The issue specifically affects documentation bundles, including the quick-jump.min.js file and corresponding CSS, as well as HTML content within source tarballs.

Recommendations Update to the master branch from the upstream repository (commit 9a1887607d9b8d1a3b8b02c990ee144c0d402b79 or later) and configure the user content domain using the --user-content-uri flag.