← Retour aux CVEs
CVE-2026-22186
HIGH7.1
Description
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
Details CVE
Score CVSS v3.17.1
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Vecteur d'attaqueLOCAL
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie1/7/2026
Derniere modification3/18/2026
Sourcenvd
Observations honeypot0
Produits affectes
openmicroscopy:bio-formats
Faiblesses (CWE)
CWE-611
References
https://docs.openmicroscopy.org/bio-formats/(disclosure@vulncheck.com)
https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp(disclosure@vulncheck.com)
https://seclists.org/fulldisclosure/2026/Jan/6(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser(disclosure@vulncheck.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.