GHSA-VHJM-W67Q-G75C @hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

Interpretation Conflict

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Interpretation Conflict due to inconsistent handling of duplicate parameters in the Content.disposition and Content.type functions. An attacker can bypass upload filename allowlists or...

GHSA-36HH-X5P5-JGC8 @hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Impact The two parsers resolved duplicates inconsistently and silently: - Content.disposition retained the last occurrence of each parameter. - Content.type retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the...

PT-2026-43631

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

ROOT-APP-MAVEN-CVE-2026-34359 CVE-2026-34359 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities - Patched by Root

Root has patched CVE-2026-34359 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-45367 CVE-2026-45367 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 - Patched by Root

Root has patched CVE-2026-45367 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-34361 CVE-2026-34361 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation - Patched by Root

Root has patched CVE-2026-34361 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-33180 CVE-2026-33180 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities - Patched by Root

Root has patched CVE-2026-33180 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities package for Root:Maven. Multiple fixed versions available...

ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=3.4.0 <=8.8.1), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=5.7.7 <=7.4.5) +209 more potentially affected by CVE-2026-45367 via ca.uhn.hapi.fhir:org.hl7.fhir.r4b (>=5.6.100 <=6.9.5)

ca.uhn.hapi.fhir:org.hl7.fhir.r4b MAVEN version =5.6.100, =3.4.0, =5.7.7, =5.7.0, =5.7.0, =5.7.0, =5.7.0, =5.7.0, =6.2.0, =6.8.0, =6.4.0, =5.7.0, =5.7.0, =5.7.0, =5.7.0, =5.7.7, =6.8.0 and more Source cves: CVE-2026-45367 Source advisory: OSV:GHSA-3653-68V6-RQ57...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.10) +20 more potentially affected by CVE-2026-45005 via openclaw (>=0.0.1 <=2026.4.21)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 - @xmoxmo/bncr =0.0.8 - morpho-vault-manager =0.1.0 and more Source cves: CVE-2026-45005 Source advisory: OSV:GHSA-Q8FF-7FFM-M3R9...

@chrysb/alphaclaw (>=0.9.1 <=0.9.5), @twsxtd/hapi-openclaw (>=0.1.0 <=0.1.8) +2 more potentially affected by CVE-2026-43572 via openclaw (>=2026.4.10 <=2026.4.12)

openclaw NPM version =2026.4.10, =0.9.1, =0.1.0, =0.1.8 - morpho-vault-manager =0.1.0 - openclaw-morpho-vault-manager =0.2.0 Source cves: CVE-2026-43572 Source advisory: SNYK:JS-OPENCLAW-16420268...

best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +715 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.4.RELEASE)

org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-41901 Source advisory: OSV:GHSA-C9PH-GXWW-7744...

best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +715 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.4.RELEASE)

org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-41901 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16419367...

ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0), ai.telosforge:kimaira-starter-dms (>=1.2.4 <=1.2.6) +5034 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.2.0 <=6.2.17)

org.springframework:spring-webmvc MAVEN version =6.2.0, =0.5.0, =1.2.4, =1.2.4, =1.17.0, =0.3.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.8.1 and more Source cves: CVE-2026-22741 Source advisory: OSV:GHSA-WG35-8JPF-2XV3...

ROOT-APP-NPM-CVE-2026-35213 CVE-2026-35213 in @rootio/hapi__content - Patched by Root

Root has patched CVE-2026-35213 in the @rootio/hapicontent package for Root:npm. Multiple fixed versions available...

@chrysb/alphaclaw (>=0.9.1 <=0.9.5), @twsxtd/hapi-openclaw (>=0.1.0 <=0.1.8) +2 more potentially affected by CVE-2026-43572 via openclaw (>=2026.4.10 <=2026.4.12)

openclaw NPM version =2026.4.10, =0.9.1, =0.1.0, =0.1.8 - morpho-vault-manager =0.1.0 - openclaw-morpho-vault-manager =0.2.0 Source cves: CVE-2026-43572 Source advisory: OSV:GHSA-GC9R-867R-J85F...

@chrysb/alphaclaw (>=0.9.1 <=0.9.5), @twsxtd/hapi-openclaw (>=0.1.0 <=0.1.8) +2 more potentially affected by CVE-2026-43583 via openclaw (>=2026.4.10 <=2026.4.12)

openclaw NPM version =2026.4.10, =0.9.1, =0.1.0, =0.1.8 - morpho-vault-manager =0.1.0 - openclaw-morpho-vault-manager =0.2.0 Source cves: CVE-2026-43583 Source advisory: OSV:GHSA-R77C-2CMR-7P47...

@chrysb/alphaclaw (>=0.9.1 <=0.9.5), @twsxtd/hapi-openclaw (>=0.1.0 <=0.1.8) +2 more potentially affected by CVE-2026-43583 via openclaw (>=2026.4.10 <=2026.4.12)

openclaw NPM version =2026.4.10, =0.9.1, =0.1.0, =0.1.8 - morpho-vault-manager =0.1.0 - openclaw-morpho-vault-manager =0.2.0 Source cves: CVE-2026-43583 Source advisory: SNYK:JS-OPENCLAW-16109727...