Browse all 6 CVE security advisories affecting hapifhir. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Hapifhir is an open-source FHIR server implementation designed for healthcare data management and interoperability. Historically, it has been susceptible to multiple critical vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, with six CVEs documented to date. The platform's security challenges often stem from improper input validation and insufficient access controls in its API endpoints. While no major public security incidents have been widely reported, the consistent pattern of vulnerabilities in a healthcare-critical system raises concerns about potential patient data exposure and system compromise in production environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34361 | HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft — org.hl7.fhir.coreCWE-552 | 9.3 | Critical | 2026-03-31 |
| CVE-2026-34360 | HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing — org.hl7.fhir.coreCWE-918 | 5.8 | Medium | 2026-03-31 |
| CVE-2026-34359 | HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core — org.hl7.fhir.coreCWE-346 | 7.4 | High | 2026-03-31 |
| CVE-2026-33180 | HAPI FHIR HTTP authentication leak in redirects — org.hl7.fhir.coreCWE-200 | 7.5 | High | 2026-03-20 |
| CVE-2024-52007 | XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` — org.hl7.fhir.coreCWE-611 | 8.6 | High | 2024-11-08 |
| CVE-2024-45294 | `org.hl7.fhir.core` XXE vulnerability in XSLT transforms — org.hl7.fhir.coreCWE-611 | 8.6 | High | 2024-09-06 |
This page lists every published CVE security advisory associated with hapifhir. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.