Hackage CSRF vulnerability
Summary
| CVE | CVE-2026-40471 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat-cnalr |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-23 16:16:25 UTC |
| Updated | 2026-04-24 14:41:55 UTC |
| Description | hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts). |
Risk And Classification
Primary CVSS: v3.1 9.6 CRITICAL from 74b3a70d-cca6-4d34-9789-e83b222ae3be
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS: 0.000170000 probability, percentile 0.042900000 (date 2026-04-24)
Problem Types: CWE-352 | CWE-352 CWE-352 Cross-Site request forgery (CSRF)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 74b3a70d-cca6-4d34-9789-e83b222ae3be | Secondary | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
| 3.1 | CNA | CVSS | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
HighAvailability
LowCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
There are no known software configurations currently associated with this CVE in NVD or the CVE Program record.
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| osv.dev/vulnerability/HSEC-2026-0002 | 74b3a70d-cca6-4d34-9789-e83b222ae3be | osv.dev | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.