CVE-2026-2587

Vulnerability

A critical Remote Code Execution (RCE) vulnerability exists in the server-side template rendering mechanism of the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) expressions are processed without proper sanitization or escaping. This allows injection of EL expressions such as #{7*7}, which the server evaluates and returns 49, confirming server-side EL evaluation. The vulnerability affects all versions of Glassfish prior to the fix released in version 6.2.12 [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted .xml file or HTTP request containing malicious EL expressions to the Glassfish gadget handler. The attacker does not require any special network position beyond network access to the vulnerable server. No user interaction is needed. The exploitation sequence involves injecting an EL expression that executes arbitrary system commands or accesses sensitive data [1].

Impact

Successful exploitation allows a remote attacker to fully compromise the underlying host. The attacker gains the ability to read and modify data, execute arbitrary commands, achieve persistence, and perform lateral movement within the network. The impact is complete loss of confidentiality, integrity, and availability (CIA) of the affected system [1].

Mitigation

The vulnerability is fixed in Glassfish version 6.2.12, released on 2026-05-19. Users should upgrade to this version immediately. No workarounds are available. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].