CVE-2026-40472 — AI Deep Analysis Summary

🚨 **Essence**: hackage-server suffers from a **Stored XSS** vulnerability. <br>💥 **Consequences**: User-controlled metadata is not sanitized.…

🛡️ **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation). <br>🔍 **Flaw**: The server fails to properly clean/escape **user-controlled metadata** before storing or rendering it.…

📦 **Affected Component**: **hackage-server** (Haskell package repository server). <br>🌐 **Scope**: Any instance running this open-source Haskell software.…

💻 **Attacker Actions**: <br>1. Inject malicious JavaScript via metadata fields. <br>2. Execute code in victims' browsers (Stored XSS). <br>3. Steal cookies/session tokens. <br>4. Perform actions on behalf of victims.…

🔐 **Auth Required**: **Yes**. The CVSS vector `PR:L` indicates **Privileges Required: Low**. <br>👤 **Requirement**: An attacker needs a low-level account to submit metadata.…

📜 **Public Exploit**: **No**. The `pocs` field is empty in the provided data. <br>🌍 **Wild Exploitation**: Unconfirmed.…

🔍 **Self-Check**: <br>1. Scan for **hackage-server** instances. <br>2. Look for metadata fields that accept raw HTML/JS input. <br>3. Test if injected scripts execute without escaping.…

🛠️ **Official Fix**: **Likely Yes**. The CVE is published (2026-04-23), implying a fix or advisory exists. <br>📥 **Action**: Update hackage-server to the latest patched version.…

🚧 **No Patch Workaround**: <br>1. **Input Validation**: Strictly sanitize all metadata inputs server-side. <br>2. **Output Encoding**: Ensure all metadata is HTML-encoded before rendering. <br>3.…

⚡ **Urgency**: **High**. <br>📈 **Risk**: CVSS Score implies High Impact on Confidentiality/Integrity. <br>🎯 **Priority**: Immediate patching recommended.…