CVE-2026-40471

Name of the Vulnerable Software and Affected Versions hackage-server (affected versions not specified)

Description The software lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. This allowed scripts on foreign sites to trigger requests to the server, potentially abusing latent credentials to upload packages or perform administrative actions. Additionally, some unauthenticated actions, such as creating new user accounts, could be abused.

Recommendations Apply the update that implements CSRF middleware to check the Sec-Fetch-Site header for all requests using HTTP methods other than GET, HEAD, and OPTIONS.