Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-22187 PoC — Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files

Source
https://github.com/George0Papasotiriou/CVE-2026-22187-Bio-Formats-unsafe-Java-deserialization-via-.bfmemo
Associated Vulnerability
Title:Bio-Formats <= 8.3.0 Memoizer Unsafe Deserialization via .bfmemo Cache Files (CVE-2026-22187)
Description:Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
Description
Bio-Formats ≤ 8.3.0 performs unsafe Java deserialization of attacker-controlled .bfmemo cache files during image processing; crafted .bfmemo can trigger deserialization of untrusted data (DoS/logic manipulation; potentially RCE if gadget chains exist).
File Snapshot

 None
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →