Lyrie
Critical CVE
CVSS 9.63 sources verified·1 min read
By Lyrie Threat Intelligence·4/24/2026

CRITICAL: CVE-2026-40471 (CVSS 9.6) — multiple products

CVE: CVE-2026-40471

CVSS: 9.6 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

Severity: CRITICAL

Status: Critical advisory

Affected

_See vendor advisory_

Summary

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

Verified Sources

References

  • https://osv.dev/vulnerability/HSEC-2026-0002

_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._

Lyrie Verdict

A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.

#critical

Validated sources

  1. [1]NVD
  2. [2]GitHub Advisory
  3. [3]MITRE