Bio Formats CVE-2026-22186
HIGH
GHSA-fcqj-76g3-q7qm
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
AnalysisAI
Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today