CVE-2026-2587
Description
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.glassfish.main.admingui:adminguiMaven | < 8.0.2 | 8.0.2 |
org.glassfish.jsftemplating:jsftemplatingMaven | < 4.2.0 | 4.2.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-29wv-cv7p-xjc2ghsaADVISORY
- gitlab.eclipse.org/security/cve-assignment/-/issues/86nvdIssue TrackingThird Party AdvisoryExploitWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2587ghsaADVISORY
- github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2ghsaWEB
News mentions
0No linked articles in our index yet.