Bio-Formats XXE in Leica Metadata Parser (CVE-2026-22186)
Author: Beatriz Fresno Naumova
Date: 18/03/2026 (Github Advisory)
Vendor: Open Microscopy Environment
Product: Bio-Formats
Version Affected: ≤ 8.4.0
Fixed Version: 8.5.0
Component: Leica metadata parser (XLEF)
CWE: CWE-611 – Improper Restriction of XML External Entity Reference
Attack Vector: Local
Description
Bio-Formats versions up to and including 8.4.0 contain an XML External Entity (XXE) vulnerability in the Leica metadata parsing component (XLEF).
The parser uses an insecure configuration of DocumentBuilderFactory, allowing external entity expansion and loading of external DTDs. As a result, a specially crafted XML metadata file can trigger unintended behavior during parsing.
Impact
Successful exploitation may allow:
Server-Side Request Forgery (SSRF) via outbound network requests
Access to local system resources (if readable)
Denial of Service (DoS) during XML parsing
CVSS Details
CVSS v3.1 Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score: 7.1 (High)
Proof of Concept (PoC)
Steps to Reproduce
Install a vulnerable version of Bio-Formats (≤ 8.3.0).
Prepare a malicious XLEF/XML file containing an external entity:
Execute the Bio-Formats analysis tool with the crafted file:
Observe outbound network requests or unintended resource access triggered during XML parsing.
Mitigation
Disable external entity processing in XML parsers
Configure DocumentBuilderFactory securely:
FEATURE_SECURE_PROCESSING
Disable DTDs and external entities
Validate and sanitize XML inputs before processing
Update to a patched version when available
Discoverer
Beatriz Fresno Naumova
Ron Edgerson
References
Bio-Formats (Github Advisory): https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gj
Last updated