PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55471 hapifhir CVE debrief

CVE-2026-55471 is an XML External Entity injection vulnerability in HAPI FHIR prior to 6.9.10. The issue allows an attacker to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host. This vulnerability exists in the org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads, which instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET restrictions.

Vendor
hapifhir
Product
org.hl7.fhir.core
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of HAPI FHIR prior to version 6.9.10 should update to the latest version to prevent XML External Entity injection attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who use HAPI FHIR in their environments.

Technical summary

The vulnerability exists in the org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads, which instantiated a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET restrictions. This allows an attacker who controls or can tamper with transformed XML to trigger XML External Entity injection. The issue can lead to local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host.

Defensive priority

High

Recommended defensive actions

  • Update to HAPI FHIR version 6.9.10 or later
  • Restrict access to XML transformation functionality
  • Implement input validation and sanitization for XML data
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T22:17:15.520Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The issue allows an attacker to trigger XML External Entity injection for local file disclosure and blind XXE or SSRF to arbitrary URLs reachable from the host.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T22:17:15.520Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.