CVE-2026-40471 CRITICAL

CVE-2026-40471: Hackage CSRF vulnerability

Weakness CWE-352 · CSRF
Published April 23, 2026
Last update April 23, 2026

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 23, 2026 Record updated