CVE-2026-22186
Published: 07 January 2026
Summary
CVE-2026-22186 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Openmicroscopy Bio-Formats. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
Bio-Formats versions up to and including 8.3.0 contain CVE-2026-22186, an XML External Entity (XXE) vulnerability classified under CWE-611 in the Leica Microsystems metadata parsing component, such as XLEF files. The vulnerability arises from an insecurely configured DocumentBuilderFactory used to process Leica XML-based metadata files, enabling external entity expansion and external DTD loading.
Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.1 (C:H/I:N/A:H/S:U). A local attacker can craft a malicious metadata file that, when opened in Bio-Formats, triggers server-side request forgery (SSRF) through outbound network requests, discloses readable local system resources, or causes a denial of service during XML parsing.
Advisories providing mitigation guidance and patch information are available from sources including the Open Microscopy Environment Bio-Formats documentation at https://docs.openmicroscopy.org/bio-formats/, the Bio-Formats GitHub security advisory at https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp, the Full Disclosure mailing list at https://seclists.org/fulldisclosure/2026/Jan/6, and the VulnCheck advisory at https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1170
Vulnerability details
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion…
more
and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in local file parser directly enables malicious file execution (T1204.002) for initial trigger and local resource disclosure (T1005) via crafted metadata.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of XML metadata input to reject external entity declarations and DTDs before the insecure DocumentBuilderFactory processes Leica XLEF files.
Mandates secure configuration settings that disable external entity expansion and DTD loading in the XML parser used by Bio-Formats.
Enforces boundary controls that can block the outbound network requests (SSRF) and limit local resource access triggered by a crafted metadata file.