CVE-2026-40472

描述

# Hackage package metadata stored XSS vulnerability User-controlled metadata from `.cabal` files are rendered into HTML `href` attributes without proper sanitization, enabling stored Cross-Site Scripting (XSS) attacks. The specific fields affected are: - `homepage` - `bug-reports` - `source-repository.location` - `description` (Haddock hyperlinks) The Haskell Security Response Team audited the entire corpus of **published** packages on `hackage.haskell.org`—all published package versions but *not* candidates. No exploitation attempts were detected. To fix the issue, *hackage-server* now inspects target URIs and only produces a hyperlink when the URI has an approved scheme: `http`, `https`, and (only for some fields) `mailto`. The fix has been [committed][commit] and deployed on `hackage.haskell.org`. Other operations of *hackage-server* instances should update as soon as possible to commit `2de3ae45082f8f3f29a41f6aff620d09d0e74058` or later. ## Acknowledgements - **Joshua Rogers** (https://joshua.hu/) of AISLE (https://aisle.com/) reported the issue to the Haskell Security Response Team. - **Fraser Tweedale** implemented the fix. - **Gershom Bazerman** merged the fix and deployed it to `hackage.haskell.org`. [commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058

受影響套件(1)

• Hackage/hackage-server>= 0.1

CVSS 分數

參考連結(1)

• PATCHhttps://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058