722 matches found
CVE-2026-48049
The CVE-2026-48049 issue affects @hapi/inert (versions 4.0.0–7.1.0). A confinement bypass was caused by a flawed raw string-prefix path check, allowing an unauthenticated remote attacker to read files via traversal (e.g., /..%2fstatic-secret/secret.txt). The vulnerability is mitigated by upgradin...
CVE-2026-48022
The CVE concerns @hapi/wreck, an HTTP client utility. Before version 18.1.2, it forwarded credential headers (Authorization, Cookie, Proxy-Authorization) across cross-origin redirects because the origin check only compared hostnames and ignored scheme and port. This allowed credentials to flow ac...
CVE-2026-44979
CVE-2026-44979 affects the @hapi/wreck HTTP client. Before 18.1.1, when following a 3xx redirect to a different hostname, the Proxy-Authorization header was not stripped (unlike Authorization and Cookie), potentially exposing forward-proxy credentials to the redirect target. The issue is fixed in...
CVE-2026-49485
Summary: CVE-2026-49485 affects HAPI FHIR’s FHIRPathEngine (matches(), matchesFull(), replaceMatches()) where user-controlled regex patterns are compiled via Java’s regex engine, enabling ReDoS and CPU exhaustion. The issue exists in implementations prior to version 6.9.9 and 6.9.4.2. An attacker...
CVE-2026-44974 Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
CVE-2026-44974
CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...
CVE-2026-45367
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches, matchesFull, and replaceMatches to Java regex operations without effective timeouts,...
CVE-2026-45367
CVE-2026-45367 affects HAPI FHIR DSTU2 module (org.hl7.fhir.dstu2) where FHIRPathEngine.matches() still calls String.matches() without a timeout, enabling potential ReDoS via user-supplied FHIRPath expressions. Other modules (DSTU2016MAY, DSTU3, R4, R4B, R5) have RegexTimeout protection and are f...
CVE-2026-45367 HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches, matchesFull, and replaceMatches to Java regex operations without effective timeouts,...
ROOT-APP-MAVEN-CVE-2026-33180 CVE-2026-33180 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities - Patched by Root
Root has patched CVE-2026-33180 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-55470 CVE-2026-55470 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 - Patched by Root
Root has patched CVE-2026-55470 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-34361 CVE-2026-34361 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation - Patched by Root
Root has patched CVE-2026-34361 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-34359 CVE-2026-34359 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities - Patched by Root
Root has patched CVE-2026-34359 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.utilities package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-45367 CVE-2026-45367 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 - Patched by Root
Root has patched CVE-2026-45367 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-34360 CVE-2026-34360 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.core - Patched by Root
Root has patched CVE-2026-34360 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.core package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-49485 CVE-2026-49485 in io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation - Patched by Root
Root has patched CVE-2026-49485 in the io.root.ca.uhn.hapi.fhir:org.hl7.fhir.validation package for Root:Maven. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-48049 CVE-2026-48049 in @rootio/hapi__inert - Patched by Root
Root has patched CVE-2026-48049 in the @rootio/hapiinert package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-48022 CVE-2026-48022 in @rootio/hapi__wreck - Patched by Root
Root has patched CVE-2026-48022 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-44979 CVE-2026-44979 in @rootio/hapi__wreck - Patched by Root
Root has patched CVE-2026-44979 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...
CVE-2026-55471
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform... overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET...