CVE-2026-22186
Unknown Unknown - Not Provided
XXE Vulnerability in Bio-Formats Leica Metadata Parser Enables SSRF

Publication date: 2026-01-07

Last updated on: 2026-03-18

Assigner: VulnCheck

Description
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22186
EUVD
EUVD-2026-1170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openmicroscopy bio-formats to 8.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22186 is an XML External Entity (XXE) vulnerability in Bio-Formats versions up to 8.3.0, specifically in the Leica Microsystems metadata parsing component (XLEF parser). The vulnerability arises because the XML parser uses an insecurely configured DocumentBuilderFactory that allows external entity expansion and loading of external Document Type Definitions (DTDs). An attacker can craft a malicious Leica XML metadata file that triggers outbound network requests (Server-Side Request Forgery), accesses local system files if readable, or causes denial of service during XML parsing. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform Server-Side Request Forgery (SSRF), which can make your system send unauthorized outbound network requests. It can also allow access to local system resources if those files are readable by the parser, potentially exposing sensitive data. Additionally, it can cause denial of service (DoS) conditions by destabilizing the XML parser during processing of malicious metadata files. These impacts can disrupt normal operations and compromise system security. [1, 2]

Detection Guidance

This vulnerability can be detected by observing outbound HTTP requests triggered during XML parsing of Leica XML metadata files, indicating external entity resolution. A proof of concept involves using the Bio-Formats ImageInfo tool to parse a crafted malicious XLEF XML file that references an external DTD hosted on an attacker-controlled server. Detection can include monitoring network logs for unexpected outbound HTTP requests during XML metadata processing and checking for FileNotFoundException errors related to external resources in application logs. Specific commands are not provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Bio-Formats versions up to and including 8.3.0 for processing Leica XML metadata files until a patched version is available. Restrict or disable external entity resolution and external DTD loading in the XML parser configuration (DocumentBuilderFactory) used by the Leica Microsystems metadata parsing component. Additionally, monitor and block unexpected outbound network requests from the application processing these files to prevent SSRF attacks. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart