Lucene search
+L

18 matches found

Cvelist
Cvelist
added 2026/07/08 9:28 p.m.38 views

CVE-2026-55471 HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform... overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET...

8.7CVSS0.00315EPSS
Exploits1References3
CVE
CVE
added 2026/07/08 9:28 p.m.35 views

CVE-2026-55471

CVE-2026-55471 affects HAPI FHIR: org.hl7.fhir.utilities XsltUtilities.saxsonTransform overloads (XsltUtilities.saxonTransform) prior to 6.9.10. The root cause is the use of a bare net.sf.saxon.TransformerFactoryImpl() without ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET restrictions, enabl...

9.1CVSS6AI score0.00315EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/06/20 11:25 a.m.6 views

XML External Entity (XXE) Injection

org.hl7.fhir.utilities is vulnerable to XML External Entity XXE Injection. The vulnerability is due to the saxonTransform... methods instantiating an unprotected TransformerFactory without restricting external DTDs and stylesheets, which allows an attacker to supply a malicious XML document that...

9.1CVSS6AI score0.00315EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/06/17 6:47 p.m.7 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection through the saxonTransform function that uses unhardened net.sf.saxon.TransformerFactoryImpl method. An attacker can access sensitive local files or trigger arbitrary HTTPS requests from the host by...

9.1CVSS6.1AI score0.00315EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/17 6:47 p.m.13 views

HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

Summary org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform... overloads obtain their TransformerFactory from the project's hardened helper XMLUtil.newXXEProtectedTransformerFactory which sets ACCESSEXTERNALDTD="" and...

9.1CVSS5.5AI score0.00315EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50600

Name of the Vulnerable Software and Affected Versions org.hl7.fhir.utilities versions 6.9.8 and earlier Description The org.hl7.fhir.utilities library contains an XML External Entity XXE injection flaw. The saxonTransform function overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl...

9.2CVSS6AI score0.00315EPSS
Exploits1References8
OSV
OSV
added 2022/07/07 9:15 p.m.4 views

CVE-2021-41042

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved...

5.3CVSS5.8AI score0.00953EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2020/06/15 4:16 p.m.6 views

EAP: XXE issue in TransformerFactory

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed...

9.8CVSS5.8AI score0.02007EPSS
Exploits0References4
OSV
OSV
added 2018/06/27 4:29 p.m.6 views

CVE-2017-7465

It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a...

9.8CVSS6.4AI score0.02976EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2018/06/27 12:0 a.m.9 views

PT-2018-8385 · Red Hat · Jboss Eap

Name of the Vulnerable Software and Affected Versions: JBoss EAP version 7.0 Description: A code injection issue was found in the JAXP implementation used for XSLT processing, which could allow an attacker to achieve remote code execution if they can provide XSLT content for parsing. The issue...

9.8CVSS9.6AI score0.02976EPSS
Exploits0References4
CNVD
CNVD
added 2017/05/22 12:0 a.m.5 views

Red Hat JBoss Enterprise Application Platform Cross-Site Scripting Vulnerability

Red Hat JBoss Enterprise Application Platform EAP is the United States Red Hat Red Hat company's set of open source, J2EE-based middleware platform. The platform is mainly used to build, deploy and host Java applications and services. Red Hat JBoss EAP 7.0.5 version of the...

9.8CVSS6.5AI score0.02007EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2014/04/17 11:30 a.m.4 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2014/04/01 12:0 a.m.7 views

PT-2014-1795 · Apache +5 · Apache Xalan-Java +5

Name of the Vulnerable Software and Affected Versions: Apache Xalan-Java versions prior to 2.7.2 Description: The issue allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities,...

7.5CVSS7.3AI score0.13809EPSS
Exploits2References79
RedHat Linux
RedHat Linux
added 2013/11/07 4:46 p.m.4 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2013/11/07 4:45 p.m.29 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2013/11/05 5:58 p.m.5 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2013/10/22 5:13 p.m.4 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2013/10/21 5:37 p.m.6 views

OpenJDK: javax.xml.transform.TransformerFactory does not properly honor XMLConstants.FEATURE_SECURE_PROCESSING (JAXP, 8012425)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via...

7.5CVSS6.8AI score0.04431EPSS
Exploits0References5
Rows per page
Query Builder