Description
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
Published: 2026-01-07
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential data disclosure and SSRF through crafted Leica metadata
Action: Patch
AI Analysis

Impact

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity vulnerability in the Leica Microsystems metadata parser. The insecurely configured DocumentBuilderFactory allows a crafted XML file to request external resources, load an external DTD, and expand entities during parsing. This can result in a server-side request to external hosts, read of local files that are accessible to the process, or a denial of service that stalls the XML parser. The weakness is classified as CWE-611, indicating insecure XML processing.

Affected Systems

All installations of the Open Microscopy Environment’s Bio-Formats library version 8.3.0 or earlier that use the Leica XLEF metadata parser are affected. The vulnerability applies to any system that accepts or processes Leica XML-based metadata files using this parser.

Risk and Exploitability

The CVSS base score of 4.6 indicates moderate severity, and the EPSS probability of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to supply a malicious Leica metadata file to the application, either locally or over a network if the system accepts external files. Once the file is parsed, the external entity requests and DTD loading can be triggered, potentially exposing internal data or causing service disruption. Exploit status for this vulnerability is currently unknown, but the conditions for successful exploitation are satisfied in environments that process untrusted XML metadata.

Generated by OpenCVE AI on April 18, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bio-Formats to the latest release—at least 8.3.1—where the XML parser has been hardened against XXE.
  • If an upgrade cannot be performed immediately, reconfigure the parser to disallow external entities by setting the secure-processing and disallow-doctype-decl features and disabling external DTD loading.
  • Validate incoming Leica metadata files against a predefined schema or whitelist before parsing, and restrict the parser’s outbound network connections to mitigate SSRF.

Generated by OpenCVE AI on April 18, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcqj-76g3-q7qm Bio-Formats has an XML External Entity (XXE) vulnerability
History

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Openmicroscopy
Openmicroscopy bio-formats
CPEs cpe:2.3:a:openmicroscopy:bio-formats:*:*:*:*:*:*:*:*
Vendors & Products Openmicroscopy
Openmicroscopy bio-formats
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
Title Bio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openmicroscopy Bio-formats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-18T16:45:21.535Z

Reserved: 2026-01-06T16:47:17.182Z

Link: CVE-2026-22186

cve-icon Vulnrichment

Updated: 2026-01-07T21:17:15.246Z

cve-icon NVD

Status : Modified

Published: 2026-01-07T21:16:02.433

Modified: 2026-03-18T17:16:06.187

Link: CVE-2026-22186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses