HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET restrictions, allowing an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This issue is fixed in version 6.9.10.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55471.json",
"cwe_ids": [
"CWE-611"
],
"cna_assigner": "GitHub_M"
}[
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "303519304723831481682073458874783375852",
"length": 512.0
},
"id": "CVE-2026-55471-03f54ec4",
"signature_type": "Function",
"target": {
"function": "saxonTransform",
"file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"104481894383719166611656802580136674201",
"86895500729497762125066552037758289543",
"246152745129527444000406255081270731977",
"245371709913283079065219447394658511442",
"23969227385167261348634502007444400416",
"257398111821106991616622201864434867067",
"171202708765483368251917546707051873491",
"19235397311355690486042934481978209267",
"22417253970380195835583267258505243561",
"294514499661621671622557827989369182150",
"241596595771695158215147328387860131443",
"5609277139140170352514010364909966597",
"16462647814049715431228497890766491051",
"58032869139232372627462683622442193749",
"84457785573981843820440451717441769723",
"12300696494754956486312828576113882503",
"101202300805083540441888057355498508495",
"58092116795315808488022798505206105915",
"159208649995823111381622098261522198408"
]
},
"id": "CVE-2026-55471-0ced3033",
"signature_type": "Line",
"target": {
"file": "org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "24379169558718345873126433071797113084",
"length": 886.0
},
"id": "CVE-2026-55471-70477b9d",
"signature_type": "Function",
"target": {
"function": "saxonTransform",
"file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "315566200878511146849185177055525664054",
"length": 585.0
},
"id": "CVE-2026-55471-881f71cb",
"signature_type": "Function",
"target": {
"function": "saxonTransform",
"file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"40859664408162169004733392626013234932",
"321331393502563986045813740238085608418",
"300895393451319590435396964487424932229"
]
},
"id": "CVE-2026-55471-a8ff8bc6",
"signature_type": "Line",
"target": {
"file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"41042219908143320097508213522268336798",
"292292471500030997639208160313359104465",
"80391877391783566716682354963083801760",
"182256399327435299668523746929692228319",
"24450119068399640447433524490730641943",
"57151940138284701204502758955849163225",
"283102182264327526858653810632539795717",
"90345780646676809708066209915195243629",
"188001326512855780313749891934039245876",
"69879512446714429642555169835822320778",
"213265267741173002485847260556550389690",
"150278353861835831339171209082481502404"
]
},
"id": "CVE-2026-55471-c4c97653",
"signature_type": "Line",
"target": {
"file": "org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"
}
},
{
"source": "https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "293239560893253126428779865837734788915",
"length": 961.0
},
"id": "CVE-2026-55471-dad47ddb",
"signature_type": "Function",
"target": {
"function": "testTransformerFactoryThrowsExceptionForExternalEntity",
"file": "org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java"
}
}
]
"2026-07-15T20:54:38Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55471.json"