{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-28T01:10:58.708","vulnerabilities":[{"cve":{"id":"CVE-2026-22186","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-01-07T21:16:02.433","lastModified":"2026-06-17T10:19:30.370","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing."},{"lang":"es","value":"Las versiones de Bio-Formats hasta la 8.3.0 inclusive contienen una vulnerabilidad de entidad externa XML (XXE) en el componente de análisis de metadatos de Leica Microsystems (p. ej., XLEF). El analizador utiliza una DocumentBuilderFactory configurada de forma insegura al procesar archivos de metadatos de Leica basados en XML, lo que permite la expansión de entidades externas y la carga de DTD externas. Un archivo de metadatos manipulado puede desencadenar solicitudes de red salientes (SSRF), acceder a recursos del sistema local donde sean legibles o causar una denegación de servicio durante el análisis XML."}],"affected":[{"source":"disclosure@vulncheck.com","affectedData":[{"vendor":"Open Microscopy Environment","product":"Bio-Formats","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"8.3.0","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.6,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-07T21:16:47.850182Z","id":"CVE-2026-22186","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-611"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openmicroscopy:bio-formats:*:*:*:*:*:*:*:*","versionEndIncluding":"8.3.0","matchCriteriaId":"779C4146-854C-430E-BA48-A8AD79A97ADE"}]}]}],"references":[{"url":"https://docs.openmicroscopy.org/bio-formats/","source":"disclosure@vulncheck.com","tags":["Release Notes"]},{"url":"https://github.com/ome/bioformats/security/advisories/GHSA-x9vc-qh97-8gjp","source":"disclosure@vulncheck.com"},{"url":"https://seclists.org/fulldisclosure/2026/Jan/6","source":"disclosure@vulncheck.com","tags":["Mailing List"]},{"url":"https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}