{"id":"CVE-2026-55471","summary":"HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory","details":"HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET restrictions, allowing an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This issue is fixed in version 6.9.10.","aliases":["GHSA-2f55-g35j-5jmf"],"modified":"2026-07-15T20:54:38.323744Z","published":"2026-07-08T21:28:45.390Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-611"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55471.json"},"references":[{"type":"WEB","url":"https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.10"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55471.json"},{"type":"ADVISORY","url":"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-2f55-g35j-5jmf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55471"},{"type":"FIX","url":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hapifhir/org.hl7.fhir.core","events":[{"introduced":"0"},{"fixed":"01ca2ecdefec9b33204d2495fe78af8c0dc52298"},{"fixed":"d46c706980e0cef66e6a477719120bbd1a7b60e3"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.9.10"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["6.9.9","6.9.8","6.9.4","6.9.7","6.9.6","6.9.5","6.9.3","6.9.2","6.9.1","6.9.0","6.8.1","6.8.2","6.7.11"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55471.json","vanir_signatures_modified":"2026-07-15T20:54:38Z","vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"303519304723831481682073458874783375852","length":512},"id":"CVE-2026-55471-03f54ec4","signature_type":"Function","signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java","function":"saxonTransform"}},{"id":"CVE-2026-55471-0ced3033","signature_type":"Line","signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java"},"deprecated":false,"digest":{"line_hashes":["104481894383719166611656802580136674201","86895500729497762125066552037758289543","246152745129527444000406255081270731977","245371709913283079065219447394658511442","23969227385167261348634502007444400416","257398111821106991616622201864434867067","171202708765483368251917546707051873491","19235397311355690486042934481978209267","22417253970380195835583267258505243561","294514499661621671622557827989369182150","241596595771695158215147328387860131443","5609277139140170352514010364909966597","16462647814049715431228497890766491051","58032869139232372627462683622442193749","84457785573981843820440451717441769723","12300696494754956486312828576113882503","101202300805083540441888057355498508495","58092116795315808488022798505206105915","159208649995823111381622098261522198408"],"threshold":0.9}},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java","function":"saxonTransform"},"deprecated":false,"digest":{"length":886,"function_hash":"24379169558718345873126433071797113084"},"id":"CVE-2026-55471-70477b9d"},{"id":"CVE-2026-55471-881f71cb","signature_type":"Function","signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java","function":"saxonTransform"},"deprecated":false,"digest":{"function_hash":"315566200878511146849185177055525664054","length":585}},{"signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["40859664408162169004733392626013234932","321331393502563986045813740238085608418","300895393451319590435396964487424932229"]},"id":"CVE-2026-55471-a8ff8bc6","signature_type":"Line"},{"id":"CVE-2026-55471-c4c97653","signature_type":"Line","signature_version":"v1","source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java"},"deprecated":false,"digest":{"line_hashes":["41042219908143320097508213522268336798","292292471500030997639208160313359104465","80391877391783566716682354963083801760","182256399327435299668523746929692228319","24450119068399640447433524490730641943","57151940138284701204502758955849163225","283102182264327526858653810632539795717","90345780646676809708066209915195243629","188001326512855780313749891934039245876","69879512446714429642555169835822320778","213265267741173002485847260556550389690","150278353861835831339171209082481502404"],"threshold":0.9}},{"source":"https://github.com/hapifhir/org.hl7.fhir.core/commit/01ca2ecdefec9b33204d2495fe78af8c0dc52298","target":{"file":"org.hl7.fhir.utilities/src/test/java/org/hl7/fhir/utilities/xml/XMLUtilTests.java","function":"testTransformerFactoryThrowsExceptionForExternalEntity"},"deprecated":false,"digest":{"function_hash":"293239560893253126428779865837734788915","length":961},"id":"CVE-2026-55471-dad47ddb","signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"}]}