Bug #16411
Updated by Jim Pingle 3 days ago
There is a potential reflected cross-site scripting vulnerability in the HAProxy package:
@/usr/local/www/haproxy/haproxy_stats.php@ displays the value of the @showsticktablecontent@ GET parameter without encoding.
Reported by Alex Williams of Pellera Technology via VulnCheck, CVE-2025-34172
While looking at that, I also found that the @showstatresolvers@ code path references @$sticktablename@ but it isn't relevant on that code path. The only possible item to display is @globalresolvers@, it doesn't need to use any user input for that action.