CVE-2026-40471

Published Apr 23, 2026

Last updated 6 hours ago

CVSS critical 9.6

Overview

Description
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).
Source
74b3a70d-cca6-4d34-9789-e83b222ae3be
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.6
Impact score
6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Severity
CRITICAL

Weaknesses

74b3a70d-cca6-4d34-9789-e83b222ae3be
CWE-352

Social media

Hype score
Not currently trending

References

Sources include official advisories and independent security research.