CVE-2026-55471

Source
https://cve.org/CVERecord?id=CVE-2026-55471
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55471.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55471
Aliases
Downstream
Published
2026-07-08T21:28:45.390Z
Modified
2026-07-15T20:54:38.323744Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Details

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET restrictions, allowing an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This issue is fixed in version 6.9.10.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55471.json",
    "cwe_ids": [
        "CWE-611"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hapifhir/org.hl7.fhir.core

Affected ranges

Type
GIT
Repo
https://github.com/hapifhir/org.hl7.fhir.core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.9.10"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

6.*
6.7.11
6.8.1
6.8.2
6.9.0
6.9.1
6.9.2
6.9.3
6.9.4
6.9.5
6.9.6
6.9.7
6.9.8
6.9.9

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "303519304723831481682073458874783375852",
            "length": 512.0
        },
        "id": "CVE-2026-55471-03f54ec4",
        "signature_type": "Function",
        "target": {
            "function": "saxonTransform",
            "file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "104481894383719166611656802580136674201",
                "86895500729497762125066552037758289543",
                "246152745129527444000406255081270731977",
                "245371709913283079065219447394658511442",
                "23969227385167261348634502007444400416",
                "257398111821106991616622201864434867067",
                "171202708765483368251917546707051873491",
                "19235397311355690486042934481978209267",
                "22417253970380195835583267258505243561",
                "294514499661621671622557827989369182150",
                "241596595771695158215147328387860131443",
                "5609277139140170352514010364909966597",
                "16462647814049715431228497890766491051",
                "58032869139232372627462683622442193749",
                "84457785573981843820440451717441769723",
                "12300696494754956486312828576113882503",
                "101202300805083540441888057355498508495",
                "58092116795315808488022798505206105915",
                "159208649995823111381622098261522198408"
            ]
        },
        "id": "CVE-2026-55471-0ced3033",
        "signature_type": "Line",
        "target": {
            "file": "org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "24379169558718345873126433071797113084",
            "length": 886.0
        },
        "id": "CVE-2026-55471-70477b9d",
        "signature_type": "Function",
        "target": {
            "function": "saxonTransform",
            "file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "315566200878511146849185177055525664054",
            "length": 585.0
        },
        "id": "CVE-2026-55471-881f71cb",
        "signature_type": "Function",
        "target": {
            "function": "saxonTransform",
            "file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "40859664408162169004733392626013234932",
                "321331393502563986045813740238085608418",
                "300895393451319590435396964487424932229"
            ]
        },
        "id": "CVE-2026-55471-a8ff8bc6",
        "signature_type": "Line",
        "target": {
            "file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "41042219908143320097508213522268336798",
                "292292471500030997639208160313359104465",
                "80391877391783566716682354963083801760",
                "182256399327435299668523746929692228319",
                "24450119068399640447433524490730641943",
                "57151940138284701204502758955849163225",
                "283102182264327526858653810632539795717",
                "90345780646676809708066209915195243629",
                "188001326512855780313749891934039245876",
                "69879512446714429642555169835822320778",
                "213265267741173002485847260556550389690",
                "150278353861835831339171209082481502404"
            ]
        },
        "id": "CVE-2026-55471-c4c97653",
        "signature_type": "Line",
        "target": {
            "file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
        }
    },
    {
        "source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "293239560893253126428779865837734788915",
            "length": 961.0
        },
        "id": "CVE-2026-55471-dad47ddb",
        "signature_type": "Function",
        "target": {
            "function": "testTransformerFactoryThrowsExceptionForExternalEntity",
            "file": "org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java"
        }
    }
]
vanir_signatures_modified
"2026-07-15T20:54:38Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55471.json"