Cyber Resilience

CVE-2026-22186

MediumPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 1.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22186 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Openmicroscopy Bio-Formats. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Bio-Formats versions up to and including 8.3.0 contain CVE-2026-22186, an XML External Entity (XXE) vulnerability classified under CWE-611 in the Leica Microsystems metadata parsing component, such as XLEF files. The vulnerability arises from an insecurely configured DocumentBuilderFactory used to process Leica XML-based metadata files, enabling external entity expansion and external DTD loading.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.1 (C:H/I:N/A:H/S:U). A local attacker can craft a malicious metadata file that, when opened in Bio-Formats, triggers server-side request forgery (SSRF) through outbound network requests, discloses readable local system resources, or causes a denial of service during XML parsing.

Advisories providing mitigation guidance and patch information are available from sources including the Open Microscopy Environment Bio-Formats documentation at https://docs.openmicroscopy.org/bio-formats/, the Bio-Formats GitHub security advisory at https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp, the Full Disclosure mailing list at https://seclists.org/fulldisclosure/2026/Jan/6, and the VulnCheck advisory at https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser.

EU & UK References

Vulnerability details

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion…

more

and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in local file parser directly enables malicious file execution (T1204.002) for initial trigger and local resource disclosure (T1005) via crafted metadata.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22187Same product: Openmicroscopy Bio-Formats
CVE-2026-33913Shared CWE-611
CVE-2025-66516Shared CWE-611
CVE-2024-12476Shared CWE-611
CVE-2026-40682Shared CWE-611
CVE-2026-41066Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2025-68493Shared CWE-611
CVE-2025-49535Shared CWE-611
CVE-2026-4374Shared CWE-611

Affected Assets

openmicroscopy
bio-formats
≤ 8.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of XML metadata input to reject external entity declarations and DTDs before the insecure DocumentBuilderFactory processes Leica XLEF files.

prevent

Mandates secure configuration settings that disable external entity expansion and DTD loading in the XML parser used by Bio-Formats.

prevent

Enforces boundary controls that can block the outbound network requests (SSRF) and limit local resource access triggered by a crafted metadata file.

References