Lucene search
K

5 matches found

CVE
CVE
added 2026/04/02 4:44 p.m.20 views

CVE-2026-34785

CVE-2026-34785 affects Rack (modular Ruby web server interface). Vulnerable component: Rack::Static. Issue: a simplistic string-prefix check for URL prefixes (e.g., "/css") causes matches on paths starting with that string, potentially serving files under the static root whose names merely share ...

7.5CVSS5.7AI score0.00387EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 4:56 p.m.2 views

CVE-2026-34359 HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured...

7.4CVSS5.8AI score0.00158EPSS
Exploits1References1
CVE
CVE
added 2026/03/31 4:56 p.m.15 views

CVE-2026-34359

Summary: CVE-2026-34359 affects HAPI FHIR Core prior to 6.9.4, where ManagedWebAccessUtils.getServer() used String.startsWith() to map request URLs to configured servers. This enables credential leakage via HTTP redirects to attacker-controlled domains that prefix-match configured URLs (e.g., htt...

9.1CVSS5.8AI score0.00158EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/03/31 4:56 p.m.4 views

CVE-2026-34359 HAPI FHIR: Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect in HAPI FHIR Core

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured...

7.4CVSS5.8AI score0.00158EPSS
Exploits1References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/30 12:0 a.m.7 views

HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect

ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs e.g., http://tx.fhir.org lack a trailing slash or host boundary check, an attacker-controlled domain like...

9.1CVSS5.9AI score0.00158EPSS
Exploits1References4
Rows per page
Query Builder