CVE-2026-2587
9.6 CRITICALA critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish...
Published: 2026-05-19 · Last updated: 2026-05-21
Severity and scoring
- CVSS
- 9.6 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- CWE
- CWE-917
Affected products
| Vendor | Product |
|---|---|
| eclipse | glassfish |
Description
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-2586 — An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console (9.1 CRITICAL)
Same CWE
- CVE-2026-41729 — Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-pat... (8.1 HIGH)
- CVE-2026-41719 — A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query met... (6.4 MEDIUM)
- CVE-2026-41717 — Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability (8.1 HIGH)
- CVE-2026-8888 — Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular... (7.5 HIGH)
- CVE-2026-2586 — An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console (9.1 CRITICAL)