CVE-2026-22186
Bio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
| CWE | CWE-611 |
| Vendor | open microscopy environment |
| Product | bio-formats |
| Published | Jan 7, 2026 |
| Last Updated | Mar 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for open microscopy environment bio-formats
Be the first to know when new unknown vulnerabilities affecting open microscopy environment bio-formats are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Open Microscopy Environment / Bio-Formats
0 โค 8.3.0
References
seclists.org: https://seclists.org/fulldisclosure/2026/Jan/6 github.com: https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp docs.openmicroscopy.org: https://docs.openmicroscopy.org/bio-formats/ vulncheck.com: https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser
Credits
Ron Edgerson Beatriz Fresno Naumova