Primary

Context

Hackage-Server Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in hackage-server. User-controlled metadata from .cabal files is rendered into HTML href attributes without adequate sanitization, allowing for the injection of malicious scripts. This issue affects several fields, including 'homepage', 'bug-reports', 'source-repository.location', and 'description' (Haddock hyperlinks). The vulnerability exists in all published versions of hackage-server.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Remediation

The vulnerability has been fixed in hackage-server version 2de3ae45082f8f3f29a41f6aff620d09d0e74058. Users should update to this version or later.

Added: Apr 23, 2026, 4:28 PM

Updated: Apr 23, 2026, 4:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hackage-Server Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating