Moderate severityOSV Advisory· Published Jan 7, 2026· Updated Mar 18, 2026
Bio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser
CVE-2026-22186
Description
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ome:pom-bio-formatsMaven | <= 8.3.0 | — |
Affected products
1- Range: v4.4.0, v4.4.1, v4.4.4, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- seclists.org/fulldisclosure/2026/Jan/6ghsatechnical-descriptionexploitWEB
- github.com/advisories/GHSA-fcqj-76g3-q7qmghsaADVISORY
- github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjpghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2026-22186ghsaADVISORY
- www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parserghsathird-party-advisoryWEB
- docs.openmicroscopy.org/bio-formatsghsaWEB
- docs.openmicroscopy.org/bio-formats/mitreproductrelease-notes
News mentions
0No linked articles in our index yet.