4.6

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22186

CVE-2026-22186: Bio-Formats has an XML External Entity (XXE) vulnerability

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22186

CVE-2026-22186:

4.6

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ome:pom-bio-formats	maven	<= 8.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the detailed vulnerability disclosure found on seclists.org. The disclosure includes a proof-of-concept and a stack trace that pinpoints the exact location of the vulnerability. The stack trace at LMSXmlDocument.initFromFilepath(LMSXmlDocument.java:125) directly implicates the initFromFilepath method in the LMSXmlDocument.java file as the source of the XXE vulnerability. The advisory explains that the DocumentBuilderFactory is not securely configured to prevent external entity expansion, which is the root cause of the vulnerability. Although no patch is available, the evidence from the advisory is sufficient to identify the vulnerable function with high confidence.

Vulnerable functions

loci.formats.in.LMSXmlDocument.initFromFilepath

components/formats-bsd/src/loci/formats/in/LMSXmlDocument.java

The `initFromFilepath` function in `LMSXmlDocument.java` uses an insecurely configured `DocumentBuilderFactory` to parse XML files. This allows attackers to craft malicious XML files with external entities, leading to an XML External Entity (XXE) injection. This can be exploited for server-side request forgery (SSRF), local file access, or denial of service.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22186: Bio-Formats has an XML External Entity (XXE) vulnerability

CVE-2026-22186:

4.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.6

4.6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2026-22186: Bio-Formats has an XML External Entity (XXE) vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI