Hapifhir Org.Hl7.Fhir.Core vulnerabilities
6 known vulnerabilities affecting hapifhir/org.hl7.fhir.core.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-34361P2CRITICALCVSS 9.3fixed in 6.9.42026-03-31
CVE-2026-34361 [CRITICAL] CWE-552 CVE-2026-34361: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the FHIR Validator HTTP service exposes an unauthenticated "/loadIG" endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith() URL prefix matching flaw in the credential provide
nvd
CVE-2026-34359P3CRITICALCVSS 9.1fixed in 6.9.42026-03-31
CVE-2026-34359 [CRITICAL] CWE-346 CVE-2026-34359: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer() uses String.startsWith() to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs (e.g., http://tx.fhir.org) lack a tra
nvd
CVE-2024-45294P3HIGHCVSS 8.6fixed in 6.3.232024-09-06
CVE-2024-45294 [HIGH] CWE-611 CVE-2024-45294: The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicio
nvd
CVE-2024-52007P3HIGHCVSS 8.6fixed in 6.4.02024-11-08
CVE-2024-52007 [HIGH] CWE-611 CVE-2024-52007: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core
nvd
CVE-2026-33180P3HIGHCVSS 7.5fixed in 6.9.02026-03-20
CVE-2026-33180 [HIGH] CWE-200 CVE-2026-33180: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL
nvd
CVE-2026-34360P3MEDIUMCVSS 5.8fixed in 6.9.42026-03-31
CVE-2026-34360 [MEDIUM] CWE-918 CVE-2026-34360: HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in J
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attack
nvd