← back
CVE-2026-40471

Hackage CSRF vulnerability

CVSS 9.6 CRITICALEPSS 0.1%CWE-352
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.6EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Affected products
hackage-server