Threat Entry Updated 2026-02-26

CVE-2026-22187 - Bio-Formats Plugin

Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.

PLUGIN Bio-Formats

CVE-2026-22187

MEDIUM CVSS 6.8 2026-01-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-26

CVE-2026-22186 - Bio-Formats Plugin

Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing.

PLUGIN Bio-Formats

CVE-2026-22186

MEDIUM CVSS 4.6 2026-01-07

Risk Score

Open Full Technical Breakdown