Vulnerability Details CVE-2026-2587
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.7%
CVSS Severity
CVSS v3 Score 9.6
Products affected by CVE-2026-2587
-
cpe:2.3:a:eclipse:glassfish:-
-
cpe:2.3:a:eclipse:glassfish:5.1.0
-
cpe:2.3:a:eclipse:glassfish:6.0.0
-
cpe:2.3:a:eclipse:glassfish:6.2.5
-
cpe:2.3:a:eclipse:glassfish:7.0.1
-
cpe:2.3:a:eclipse:glassfish:7.0.10
-
cpe:2.3:a:eclipse:glassfish:7.0.11
-
cpe:2.3:a:eclipse:glassfish:7.0.12
-
cpe:2.3:a:eclipse:glassfish:7.0.13
-
cpe:2.3:a:eclipse:glassfish:7.0.14
-
cpe:2.3:a:eclipse:glassfish:7.0.15
-
cpe:2.3:a:eclipse:glassfish:7.0.16
-
cpe:2.3:a:eclipse:glassfish:7.0.17
-
cpe:2.3:a:eclipse:glassfish:7.0.18
-
cpe:2.3:a:eclipse:glassfish:7.0.19
-
cpe:2.3:a:eclipse:glassfish:7.0.2
-
cpe:2.3:a:eclipse:glassfish:7.0.20
-
cpe:2.3:a:eclipse:glassfish:7.0.21
-
cpe:2.3:a:eclipse:glassfish:7.0.22
-
cpe:2.3:a:eclipse:glassfish:7.0.23
-
cpe:2.3:a:eclipse:glassfish:7.0.24
-
cpe:2.3:a:eclipse:glassfish:7.0.25
-
cpe:2.3:a:eclipse:glassfish:7.0.3
-
cpe:2.3:a:eclipse:glassfish:7.0.4
-
cpe:2.3:a:eclipse:glassfish:7.0.5
-
cpe:2.3:a:eclipse:glassfish:7.0.6
-
cpe:2.3:a:eclipse:glassfish:7.0.7
-
cpe:2.3:a:eclipse:glassfish:7.0.8
-
cpe:2.3:a:eclipse:glassfish:7.0.9
-
cpe:2.3:a:eclipse:glassfish:7.1.0
-
cpe:2.3:a:eclipse:glassfish:8.0.0
-
cpe:2.3:a:eclipse:glassfish:8.0.1