XML External Entity Injection in HAPI FHIR by HAPI FHIR Project
CVE-2026-55471
8.7HIGH
What is CVE-2026-55471?
The HAPI FHIR implementation of the HL7 FHIR standard prior to version 6.9.10 suffers from a vulnerability wherein the saxonTransform(...) method exposes the TransformerFactoryImpl without appropriate restrictions on external DTD and stylesheets. This flaw enables attackers with control over XML inputs to exploit XML External Entity (XXE) vulnerabilities, potentially leading to local file disclosures and allowing arbitrary URLs to be reached from the host, which can be disastrous for data integrity and privacy.
Affected Version(s)
org.hl7.fhir.core < 6.9.10
