VYPR

Hl7 Fhir Core

by Hapifhir

Source repositories

CVEs (7)

  • CVE-2024-51132CriNov 5, 2024
    risk 0.57cvss 9.8epss 0.02

    An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.

  • CVE-2026-34361CriMar 31, 2026
    risk 0.53cvss 9.3epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined…

  • CVE-2024-52007HigNov 8, 2024
    risk 0.49cvss 8.6epss 0.01

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example…

  • CVE-2024-45294HigSep 6, 2024
    risk 0.49cvss 8.6epss 0.01

    The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are…

  • CVE-2026-34359HigMar 31, 2026
    risk 0.41cvss 7.4epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential…

  • CVE-2026-45367higMay 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's…

  • CVE-2026-34360MedMar 31, 2026
    risk 0.31cvss 5.8epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it…