VYPR
Vendor

Hapifhir

Products
4
CVEs
10
Across products
10
Status
Private

Products

4

Recent CVEs

10
  • CVE-2024-51132CriNov 5, 2024
    risk 0.57cvss 9.8epss 0.02

    An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.

  • CVE-2026-34361CriMar 31, 2026
    risk 0.53cvss 9.3epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined…

  • CVE-2026-55471criJun 17, 2026
    risk 0.52cvss epss

    ### Summary `org.hl7.fhir.utilities.XsltUtilities` exposes two parallel families of XSLT transform helpers. The `transform(...)` overloads obtain their `TransformerFactory` from the project's hardened helper `XMLUtil.newXXEProtectedTransformerFactory()` (which sets…

  • CVE-2024-52007HigNov 8, 2024
    risk 0.49cvss 8.6epss 0.01

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example…

  • CVE-2024-45294HigSep 6, 2024
    risk 0.49cvss 8.6epss 0.01

    The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are…

  • CVE-2026-34359HigMar 31, 2026
    risk 0.41cvss 7.4epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential…

  • CVE-2026-55470higJun 17, 2026
    risk 0.38cvss epss

    ## Summary The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still…

  • CVE-2026-45367higMay 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's…

  • CVE-2026-34360MedMar 31, 2026
    risk 0.31cvss 5.8epss 0.00

    HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it…

  • CVE-2020-24301Oct 8, 2020
    risk 0.00cvss epss 0.01

    Users of the HAPI FHIR Testpage Overlay 5.0.0 and below can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is…