HSEC-2026-0004: hackage-server XSS

Author: frasertweedale

advisories/hackage/hackage-server/HSEC-2026-0004.md

@@ -0,0 +1 @@
+../../published/2026/HSEC-2026-0004.md

advisories/published/2026/HSEC-2026-0004.md

@@ -0,0 +1,54 @@
+```toml
+[advisory]
+id = "HSEC-2026-0004"
+cwe = [84]
+keywords = ["hackage", "xss", "supply-chain"]
+
+[[affected]]
+package = "hackage-server"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"
+
+[[affected.versions]]
+introduced = "0.1"
+
+[[references]]
+type = "FIX"
+url = "https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"
+```
+
+# Hackage package metadata stored XSS vulnerability
+
+User-controlled metadata from `.cabal` files are rendered into HTML
+`href` attributes without proper sanitization, enabling stored
+Cross-Site Scripting (XSS) attacks.  The specific fields affected
+are:
+
+- `homepage`
+- `bug-reports`
+- `source-repository.location`
+- `description` (Haddock hyperlinks)
+
+The Haskell Security Response Team audited the entire corpus of
+**published** packages on `hackage.haskell.org`—all published
+package versions but *not* candidates.  No exploitation attempts
+were detected.
+
+To fix the issue, *hackage-server* now inspects target URIs and only
+produces a hyperlink when the URI has an approved scheme: `http`,
+`https`, and (only for some fields) `mailto`.
+
+The fix has been [committed][commit] and deployed on
+`hackage.haskell.org`.  Other operations of *hackage-server*
+instances should update as soon as possible to commit
+`2de3ae45082f8f3f29a41f6aff620d09d0e74058` or later.
+
+## Acknowledgements
+
+- **Joshua Rogers** (https://joshua.hu/) of AISLE
+  (https://aisle.com/) reported the issue to the Haskell Security
+  Response Team.
+- **Fraser Tweedale** implemented the fix.
+- **Gershom Bazerman** merged the fix and deployed it to
+  `hackage.haskell.org`.
+
+[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058