🔐 CVE Alert

CVE-2025-34172

UNKNOWN 0.0

Netgate pfSense CE HAProxy Package 0.63_10 Reflected Cross-Site Scripting

CVSS Score
0.0
EPSS Score
1.0%
EPSS Percentile
58th

In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.

CWE CWE-79
Vendor netgate
Product pfsense ce
Published Sep 9, 2025
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for netgate pfsense ce

Be the first to know when new unknown vulnerabilities affecting netgate pfsense ce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Netgate / pfSense CE
0.63_10

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/pfsense/FreeBSD-ports/commit/04d1328ab077830eb57a24bb7018c812b6358c64 redmine.pfsense.org: https://redmine.pfsense.org/issues/16411 vulncheck.com: https://www.vulncheck.com/advisories/netgate-pf-sense-ce-ha-proxy-reflected-xss

Credits

Alex Williams (Pellera Technologies)