QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22186

Published: Jan 7, 2026

Modified: Mar 18, 2026

PUBLISHED

Description

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

Vendor	Product	Versions
Open Microscopy Environment	Bio-Formats	affected `0 - <= 8.3.0`

Weaknesses (CWE)

References

https://seclists.org/fulldisclosure/2026/Jan/6

technical-description

exploit

https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp

vendor-advisory

patch

https://docs.openmicroscopy.org/bio-formats/

product

release-notes

https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.