CVE-2026-40471

Published: Apr 23, 2026Modified: Apr 24, 2026

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Exploitability: 2.8 / Impact: 6.0

Source: 74b3a70d-cca6-4d34-9789-e83b222ae3be (Secondary)

Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://osv.dev/vulnerability/HSEC-2026-0002

Source: 74b3a70d-cca6-4d34-9789-e83b222ae3be

Timeline

No history available yet.