XML External Entity Injection in HAPI FHIR by HAPI FHIR Project
CVE-2026-55471

8.7HIGH

Key Information:

Vendor

Hapifhir

Vendor
CVE Published:
8 July 2026

What is CVE-2026-55471?

The HAPI FHIR implementation of the HL7 FHIR standard prior to version 6.9.10 suffers from a vulnerability wherein the saxonTransform(...) method exposes the TransformerFactoryImpl without appropriate restrictions on external DTD and stylesheets. This flaw enables attackers with control over XML inputs to exploit XML External Entity (XXE) vulnerabilities, potentially leading to local file disclosures and allowing arbitrary URLs to be reached from the host, which can be disastrous for data integrity and privacy.

Affected Version(s)

org.hl7.fhir.core < 6.9.10

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.