CVE-2026-40471

Discovered by AISLEPUBLISHEDCWE-352

Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

CVSS Base Scores

CVSS v3.1(Primary)

9.6

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Affected Products

Vendor	Product	Version	Status
Unknown	hackage-server	0.1	affected

References

https://osv.dev/vulnerability/HSEC-2026-0002