CVE-2026-33555

Published: Apr 13, 2026 Last Modified: Apr 13, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,0
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: none
Integrity: low
Availability: none

Description

AI Translation Available

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0001
Percentile
0,0th
Updated

EPSS Score Trend (Last 3 Days)

130

Improper Handling of Length Parameter Inconsistency

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity
Potential Impacts:
Read Memory Modify Memory Varies By Context
Applicable Platforms
Languages: C, C++, Not Language-Specific
View CWE Details
https://github.com/haproxy/haproxy/commit/05a295441c621089f…
https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756…
https://www.haproxy.com/documentation/haproxy-aloha/changel…
https://www.haproxy.com/documentation/haproxy-aloha/changelog/
https://www.haproxy.org
https://www.haproxy.org
https://www.mail-archive.com/[email protected]/msg46752.…
https://www.mail-archive.com/[email protected]/msg46752.html