{"id":"HSEC-2026-0004","summary":"Hackage package metadata stored XSS vulnerability","details":"# Hackage package metadata stored XSS vulnerability\n\nUser-controlled metadata from `.cabal` files are rendered into HTML\n`href` attributes without proper sanitization, enabling stored\nCross-Site Scripting (XSS) attacks.  The specific fields affected\nare:\n\n- `homepage`\n- `bug-reports`\n- `source-repository.location`\n- `description` (Haddock hyperlinks)\n\nThe Haskell Security Response Team audited the entire corpus of\n**published** packages on `hackage.haskell.org`—all published\npackage versions but *not* candidates.  No exploitation attempts\nwere detected.\n\nTo fix the issue, *hackage-server* now inspects target URIs and only\nproduces a hyperlink when the URI has an approved scheme: `http`,\n`https`, and (only for some fields) `mailto`.\n\nThe fix has been [committed][commit] and deployed on\n`hackage.haskell.org`.  Other operations of *hackage-server*\ninstances should update as soon as possible to commit\n`2de3ae45082f8f3f29a41f6aff620d09d0e74058` or later.\n\n## Acknowledgements\n\n- **Joshua Rogers** (https://joshua.hu/) of AISLE\n  (https://aisle.com/) reported the issue to the Haskell Security\n  Response Team.\n- **Fraser Tweedale** implemented the fix.\n- **Gershom Bazerman** merged the fix and deployed it to\n  `hackage.haskell.org`.\n\n[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058\n","aliases":["CVE-2026-40472"],"modified":"2026-03-28T16:15:05.535024Z","published":"2026-03-28T16:05:12Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","repository":"https://github.com/haskell/security-advisories","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"FIX","url":"https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"}],"affected":[{"package":{"name":"hackage-server","ecosystem":"Hackage","purl":"pkg:hackage/hackage-server"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1"}]}],"versions":["0.4","0.5.0"],"database_specific":{"human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0004.md","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0004.json","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0004.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"}]}],"schema_version":"1.7.5"}