CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-22186

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 5.2%

CVSS Severity

CVSS v3 Score 7.1

References

https://docs.openmicroscopy.org/bio-formats/
https://seclists.org/fulldisclosure/2026/Jan/6
https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser

Products affected by CVE-2026-22186

Openmicroscopy » Bio-Formats » Version: Any

cpe:2.3:a:openmicroscopy:bio-formats:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-22186

Products

Pricing

Contact Us