CVE-2026-55471: HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory

org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform(...) overloads obtain their TransformerFactory from the project’s hardened helper XMLUtil.newXXEProtectedTransformerFactory() (which sets ACCESS_EXTERNAL_DTD="" and ACCESS_EXTERNAL_STYLESHEET=""). The sibling saxonTransform(...) overloads instead instantiate a bare new net.sf.saxon.TransformerFactoryImpl() with no external-access restriction. A document transformed through any saxonTransform(...) overload is parsed with external general entities and external DTD/parameter entities enabled, so an attacker who controls (or can MITM) the transformed XML obtains XML External Entity injection: local file disclosure and blind XXE / SSRF to arbitrary URLs reachable from the host.

XMLUtil documents that its protected factory “should be the only place where TransformerFactory is instantiated in this project”. The saxonTransform overloads violate that contract while their same-file transform siblings honour it.