Lucene search
+L

20 matches found

CVE
CVE
added yesterday12 views

CVE-2026-49485

Summary: CVE-2026-49485 affects HAPI FHIR’s FHIRPathEngine (matches(), matchesFull(), replaceMatches()) where user-controlled regex patterns are compiled via Java’s regex engine, enabling ReDoS and CPU exhaustion. The issue exists in implementations prior to version 6.9.9 and 6.9.4.2. An attacker...

7.5CVSS5.5AI score
Exploits0References6
CVE
CVE
added 2 days ago28 views

CVE-2026-45367

CVE-2026-45367 affects HAPI FHIR DSTU2 module (org.hl7.fhir.dstu2) where FHIRPathEngine.matches() still calls String.matches() without a timeout, enabling potential ReDoS via user-supplied FHIRPath expressions. Other modules (DSTU2016MAY, DSTU3, R4, R4B, R5) have RegexTimeout protection and are f...

7.5CVSS6.1AI score0.00489EPSS
Exploits0References6
OSV
OSV
added 2 days ago4 views

CVE-2026-45367 HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches, matchesFull, and replaceMatches to Java regex operations without effective timeouts,...

7.5CVSS6.1AI score0.00489EPSS
Exploits0References8
Snyk
Snyk
added 2026/07/09 1:43 p.m.7 views

Regular Expression Denial of Service (ReDoS)

Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/09 1:43 p.m.4 views

Regular Expression Denial of Service (ReDoS)

Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/09 1:43 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/09 1:43 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/09 1:43 p.m.6 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...

8.7CVSS6AI score
Exploits0References2
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/09 12:0 a.m.7 views

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

7.5CVSS6.1AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/09 12:0 a.m.6 views

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

7.5CVSS6.1AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/09 12:0 a.m.6 views

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

7.5CVSS6.1AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/09 12:0 a.m.8 views

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

7.5CVSS6.1AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/08 9:27 p.m.5 views

CVE-2026-55470

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matchessw...

7.5CVSS5.9AI score0.00374EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/06/17 12:0 a.m.26 views

HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS

The fix for CVE-2026-45367 added RegexTimeout protection to the matches function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In org.hl7.fhir.dstu2, replaceMatches was updated while matches at line 2462 still calls the raw String.matchessw without any...

7.5CVSS5.2AI score0.00489EPSS
Exploits1References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.12 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

7.5CVSS5.9AI score0.00489EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.11 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

7.5CVSS5.9AI score0.00489EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.11 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

7.5CVSS5.9AI score0.00489EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/03/30 5:21 p.m.11 views

au.csiro.pathling:encoders (>=6.2.2 <=9.5.0), au.csiro.pathling:fhir-server (>=6.2.2 <=7.2.0) +244 more potentially affected by CVE-2026-34360 via ca.uhn.hapi.fhir:org.hl7.fhir.utilities (>=6.0.0 <=6.9.3)

ca.uhn.hapi.fhir:org.hl7.fhir.utilities MAVEN version =6.0.0, =6.2.2, =6.2.2, =6.2.2, =6.2.2, =6.2.2, =6.2.2, =6.6.0, =6.6.0, =6.6.0, =6.6.0, =6.6.0, =6.6.0, =8.8.1 and more Source cves: CVE-2026-34360 Source advisory: SNYK:JAVA-CAUHNHAPIFHIR-15855324...

5.8CVSS5.4AI score0.00235EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/03/30 5:19 p.m.13 views

au.csiro.pathling:encoders (>=8.0.0 <=9.5.0), au.csiro.pathling:fhirpath (>=8.0.0 <=9.5.0) +164 more potentially affected by CVE-2026-34359 via ca.uhn.hapi.fhir:org.hl7.fhir.utilities (>=6.4.1 <=6.9.3)

ca.uhn.hapi.fhir:org.hl7.fhir.utilities MAVEN version =6.4.1, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.2.0, =8.8.1 and more Source cves: CVE-2026-34359 Source advisory: SNYK:JAVA-CAUHNHAPIFHIR-15855257...

9.1CVSS5.4AI score0.00158EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/03/18 8:7 p.m.8 views

au.csiro.pathling:encoders (>=5.1.0 <=9.5.0), au.csiro.pathling:fhir-server (>=5.3.1 <=7.2.0) +352 more potentially affected by CVE-2026-33180 via ca.uhn.hapi.fhir:org.hl7.fhir.utilities (>=0.0.1 <=6.8.2)

ca.uhn.hapi.fhir:org.hl7.fhir.utilities MAVEN version =0.0.1, =5.1.0, =5.3.1, =6.2.1, =5.3.1, =5.3.1, =5.3.0, =0.0.9, =5.6.5, =5.6.5, =5.6.5, =3.4.0, =5.6.5, =4.1.0, =4.0.3, =8.8.1 and more Source cves: CVE-2026-33180 Source advisory: OSV:GHSA-P7M9-V2CM-2H7M...

8.2CVSS5.4AI score0.00264EPSS
Exploits0
Rows per page
Query Builder