CVE-2026-22186
XXE Vulnerability in Bio-Formats Leica Metadata Parser Enables SSRF
Publication date: 2026-01-07
Last updated on: 2026-03-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openmicroscopy | bio-formats | to 8.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22186 is an XML External Entity (XXE) vulnerability in Bio-Formats versions up to 8.3.0, specifically in the Leica Microsystems metadata parsing component (XLEF parser). The vulnerability arises because the XML parser uses an insecurely configured DocumentBuilderFactory that allows external entity expansion and loading of external Document Type Definitions (DTDs). An attacker can craft a malicious Leica XML metadata file that triggers outbound network requests (Server-Side Request Forgery), accesses local system files if readable, or causes denial of service during XML parsing. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to perform Server-Side Request Forgery (SSRF), which can make your system send unauthorized outbound network requests. It can also allow access to local system resources if those files are readable by the parser, potentially exposing sensitive data. Additionally, it can cause denial of service (DoS) conditions by destabilizing the XML parser during processing of malicious metadata files. These impacts can disrupt normal operations and compromise system security. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing outbound HTTP requests triggered during XML parsing of Leica XML metadata files, indicating external entity resolution. A proof of concept involves using the Bio-Formats ImageInfo tool to parse a crafted malicious XLEF XML file that references an external DTD hosted on an attacker-controlled server. Detection can include monitoring network logs for unexpected outbound HTTP requests during XML metadata processing and checking for FileNotFoundException errors related to external resources in application logs. Specific commands are not provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Bio-Formats versions up to and including 8.3.0 for processing Leica XML metadata files until a patched version is available. Restrict or disable external entity resolution and external DTD loading in the XML parser configuration (DocumentBuilderFactory) used by the Leica Microsystems metadata parsing component. Additionally, monitor and block unexpected outbound network requests from the application processing these files to prevent SSRF attacks. [1, 2]