A vulnerability marked as problematic has been reported in hapifhir FHIR up to 6.9.8. Affected by this issue is the function
matches/matchesFull/replaceMatches of the component FHIRPathEngine. The manipulation leads to incorrect regular expression.
This vulnerability is referenced as CVE-2026-49485. Remote exploitation of the attack is possible. No exploit is available.