CVE-2026-22186

Description

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:openmicroscopy:bio-formats:*:*:*:*:*:*:*:* - VULNERABLE

Bio-Formats <= 8.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

构造恶意XLEF文件，其中嵌入外部实体引用指向内部资源

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22186
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22186
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22186/
[4] VulDB https://vuldb.com/cve/CVE-2026-22186
[5] https://docs.openmicroscopy.org/bio-formats/
[6] https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp
[7] https://seclists.org/fulldisclosure/2026/Jan/6
[8] https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22186", "sourceIdentifier": "[email protected]", "published": "2026-01-07T21:16:02.433", "lastModified": "2026-03-18T17:16:06.187", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing."}, {"lang": "es", "value": "Las versiones de Bio-Formats hasta la 8.3.0 inclusive contienen una vulnerabilidad de entidad externa XML (XXE) en el componente de análisis de metadatos de Leica Microsystems (p. ej., XLEF). El analizador utiliza una DocumentBuilderFactory configurada de forma insegura al procesar archivos de metadatos de Leica basados en XML, lo que permite la expansión de entidades externas y la carga de DTD externas. Un archivo de metadatos manipulado puede desencadenar solicitudes de red salientes (SSRF), acceder a recursos del sistema local donde sean legibles o causar una denegación de servicio durante el análisis XML."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openmicroscopy:bio-formats:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.3.0", "matchCriteriaId": "779C4146-854C-430E-BA48-A8AD79A97ADE"}]}]}], "references": [{"url": "https://docs.openmicroscopy.org/bio-formats/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp", "source": "[email protected]"}, {"url": "https://seclists.org/fulldisclosure/2026/Jan/6", "source": "[email protected]", "tags": ["Mailing List"]}, {"url": "https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}