CVE-2026-40472

Name of the Vulnerable Software and Affected Versions hackage-server versions prior to 2de3ae45082f8f3f29a41f6aff620d09d0e74058

Description User-controlled metadata from .cabal files are rendered into HTML 'href' attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. The affected fields include homepage, bug-reports, source-repository.location, and description (Haddock hyperlinks).

Recommendations Update to commit 2de3ae45082f8f3f29a41f6aff620d09d0e74058 or later.