XXE in Hapifhir Org.hl7.fhir.core

CVE-2026-55471

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform(...) overloads instantiated a bare net.sf.saxon.TransformerFactor…

Vulnerability class: XXE (XML External Entity)

Affected products

Weakness classification (CWE)

References