Vendor scorecard
HAProxy
HAProxy security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: haproxy
Product families
1
Open in latest
14
Inferred — see methodology
Last disclosure
Jun 18, 2026
01
Product categories
1 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| HAProxyApplication Delivery / ADChaproxy, haproxy_enterprise, aloha… | 6 | 14 | 3.1.12MED |
02
Recent CVEs
4 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2026-55204(opens NVD record) | High | 7.5 | HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service. | Jun 18, 2026 |
| CVE-2026-55203(opens NVD record) | High | 7.5 | HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues. | Jun 18, 2026 |
| CVE-2026-33555(opens NVD record) | Medium | 4.0 | An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6. | Apr 13, 2026 |
| CVE-2025-11230(opens NVD record) | High | 7.5 | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | Nov 19, 2025 |
4 CVEs · 1 product families