CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55470

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-08
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches() in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matches(sw) without RegexTimeout protection while replaceMatches() was updated, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU. This issue is fixed in version 6.9.10.

⚡ Watch CVE-2026-55470

Get an email if CVE-2026-55470 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-55470

CVE.org record

Embed the live status

CVE-2026-55470 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55470 status](https://www.csirts.com/badge/CVE-2026-55470)](https://www.csirts.com/cve/CVE-2026-55470)