7.1
CVE-2026-22186
- EPSS 0.14%
- Veröffentlicht 07.01.2026 20:26:48
- Zuletzt bearbeitet 18.03.2026 17:16:06
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginBio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openmicroscopy ≫ Bio-formats Version <= 8.3.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.038 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.1 | 1.8 | 5.2 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
|
| disclosure@vulncheck.com | 4.6 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://seclists.org/fulldisclosure/2026/Jan/6
https://docs.openmicroscopy.org/bio-formats/
https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser
https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp