HAProxy HAProxy High Performance TCP/HTTP Load Balancer

  1. Vendors
  2. HAProxy

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any HAProxy product.

RSS Feeds for HAProxy security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in HAProxy products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by HAProxy Sorted by Most Security Vulnerabilities since 2018

HAProxy30 vulnerabilities

HAProxy Aloha2 vulnerabilities

HAProxy Proxyprotocol1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in HAProxy with an average score of 6.3 out of ten. Last year, in 2025 HAProxy had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in HAProxy in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.62




Year Vulnerabilities Average Score
2026 3 6.33
2025 3 6.95
2024 3 7.50
2023 6 7.63
2022 1 7.50
2021 4 6.95
2020 1 0.00
2019 6 5.90
2018 5 0.00

It may take a day or so for new HAProxy vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent HAProxy Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-55204 Jun 18, 2026
HAProxy 3.4.0 Null Pointer Deref in hpack_dht_insert() DoS HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.
Aloha
CVE-2026-55203 Jun 18, 2026
HAProxy <3.4.0 Integer Overflow in FastCGI Conn drl Field HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record consumption and allowing malicious FastCGI backends to desynchronize the FCGI framing parser, potentially causing request routing errors, response smuggling, or memory safety issues.
Aloha
CVE-2026-33555 Apr 13, 2026
HAProxy <3.3.6 HTTP/3 Parser Desynchronization & Request Smuggling An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
Haproxy
CVE-2025-11230 Nov 19, 2025
HAProxy mjson Denial-of-Service via Designed JSON (CVE-2025-11230) Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
Haproxy
CVE-2025-59303 Oct 08, 2025
HAProxy K8s Ingress Controller <3.1.13 config-snippets YML Injection HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1.
Haproxy
CVE-2025-32464 Apr 09, 2025
HAProxy 2.2-3.1.6 Heap Buffer Overflow in sample_conv_regsub HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.
Haproxy
CVE-2024-53008 Nov 28, 2024
CVE-2024-53008: HAProxy HTTP SM bypasses ACLs Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.
Haproxy
CVE-2024-49214 Oct 14, 2024
QUIC IP List Bypass in HAProxy 3.1-dev<7, 3.0<5, 2.9<11 QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.
Haproxy
CVE-2024-45506 Sep 04, 2024
Remote DoS via H2_send Loop in HAProxy 2.9.x<2.9.10, 3.0.x<3.0.4, 3.1.x<3.1-dev6 HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.
Haproxy
CVE-2023-45539 Nov 28, 2023
HAProxy <2.8.2 Accepts # in URI, Risk of Path Misinterpretation HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Haproxy
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.