CVE-2026-40470

Daily digests

Hackage-server serves uploaded HTML and JavaScript files on the main hackage.haskell.org domain with no sandboxing. A malicious package maintainer can upload docs containing JavaScript that runs in the context of any logged-in user who views the page. That means full session hijack: uploading packages, changing maintainers, the works. CVSS 9.9.

• Daily Digest · Apr 24, 2026

  Entra ID SSRF scores perfect 10, Bing RCE too