CVE-2026-22186

HighPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS Score 0.0003 10.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22186 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Openmicroscopy Bio-Formats. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

SI-4 System Monitoring

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

XXE in local file parser directly enables malicious file execution (T1204.002) for initial trigger and local resource disclosure (T1005) via crafted metadata.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion…

and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

Deeper analysisAI

Bio-Formats versions up to and including 8.3.0 contain CVE-2026-22186, an XML External Entity (XXE) vulnerability classified under CWE-611 in the Leica Microsystems metadata parsing component, such as XLEF files. The vulnerability arises from an insecurely configured DocumentBuilderFactory used to process Leica XML-based metadata files, enabling external entity expansion and external DTD loading.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.1 (C:H/I:N/A:H/S:U). A local attacker can craft a malicious metadata file that, when opened in Bio-Formats, triggers server-side request forgery (SSRF) through outbound network requests, discloses readable local system resources, or causes a denial of service during XML parsing.

Advisories providing mitigation guidance and patch information are available from sources including the Open Microscopy Environment Bio-Formats documentation at https://docs.openmicroscopy.org/bio-formats/, the Bio-Formats GitHub security advisory at https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp, the Full Disclosure mailing list at https://seclists.org/fulldisclosure/2026/Jan/6, and the VulnCheck advisory at https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser.