EUVD-2026-33998

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...

CVE-2026-49120 Medplum < 5.1.14 SSRF via FHIR Subscription Endpoint

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...

CVE-2026-37234

FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xappids by sending multiple E42SETUPREQUESTs. On disconnect, only the first registered xappid's resources are cleaned up; subsequent xappids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak...

CVE-2026-37226

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert in Debug builds SIGABRT and dereferenced in Release builds SIGSEGV. A remote unauthenticated attacker can crash the iApp...

CVE-2026-37233

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eqxappricgenid in src/ric/iApp/xappricid.c compares m0-xappid against itself m0-xappid instead of the other argument m1-xappid, effectively ignoring the xApp identity dimension. A malicio...

Medplum 代码问题漏洞

Medplum is an open-source platform for rapid development of medical applications. Versions of Medplum prior to 5.1.14 contained code-related vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability present in subscription workers, which could allow...

PT-2026-45843

Name of the Vulnerable Software and Affected Versions Medplum versions prior to 5.1.14 Description An issue in the subscription worker allows authenticated users to perform unauthorized internal network requests. By creating FHIR Subscription resources with arbitrary endpoint URLs, attackers can...

CVE-2026-44323

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one...

CVE-2026-37226

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert in Debug builds SIGABRT and dereferenced in Release builds SIGSEGV. A remote unauthenticated attacker can crash the iApp...

EUVD-2026-33699

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the...

CVE-2026-37225

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the...

CVE-2026-37221

FlexRIC v2.0.0 crashes when receiving a RICSUBSCRIPTIONRESPONSE with an unknown ricid that has no corresponding pending event. The near-RT RIC uses assert to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged...

Exposure of Sensitive Information Through Metadata

Overview org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the BrokerInfo component. An attacker can obtain sensitive...

CVE-2026-37225

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the...

CVE-2026-37234

CVE-2026-37234 affects FlexRIC v2.0.0. A single SCTP connection can bind multiple xapp_ids via multiple E42_SETUP_REQUESTs. Upon disconnect, only the first registered xapp_id’s resources are cleaned up; other xapp_ids and their subscriptions remain as stale entries, allowing a remote attacker to ...

CVE-2026-37225

FlexRIC v2.0.0 is affected by CVE-2026-37225. The iApp crashes (SIGABRT) when processing an E42_RIC_SUBSCRIPTION_REQUEST that contains an empty ricEventTriggerDefinition field. The E42 layer decoder accepts the empty field, but the E2AP encoder enforces a non-empty constraint when forwarding the ...

CVE-2026-37221

FlexRIC v2.0.0 is affected. Processing a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event can trigger an assertion failure (near-RT RIC) leading to SIGABRT in Debug builds or a NULL pointer dereference (SIGSEGV) in Release builds. This can be exploited remo...

CVE-2026-37226

FlexRIC v2.0.0 is vulnerable: when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node, the lookup returns NULL and triggers an abort in Debug builds (SIGABRT) or a segfault in Release builds (SIGSEGV), allowing a remote unauthenticated attacker to crash the iApp ...

CVE-2026-37226

FlexRIC v2.0.0 crashes when the iApp receives an E42RICSUBSCRIPTIONREQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert in Debug builds SIGABRT and dereferenced in Release builds SIGSEGV. A remote unauthenticated attacker can crash the iApp...

PT-2026-45455

FlexRIC v2.0.0 crashes when the iApp receives an E42 RIC SUBSCRIPTION REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash th...