Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (eclipse) · only source for this CVE.
CVSS VectorVendor: eclipse
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 22 maven packages depend on org.glassfish.jsftemplating:jsftemplating (20 direct, 2 indirect)
- 14 maven packages depend on org.glassfish.main.admingui:console-common (12 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.2.0 and other introduced versions.
DescriptionCVE.org
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.
AnalysisAI
Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to execute arbitrary operating system commands as the application service user. The flaw stems from improper input handling in admin panel requests (CWE-94), and while CVSS rates it 9.1 due to scope change and full CIA impact, exploitation requires high privileges (PR:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Eclipse GlassFish is the open-source Jakarta EE / Java EE reference application server, maintained by the Eclipse Foundation after Oracle transferred stewardship. The Administration Console is the web-based management interface (typically on port 4848) used to deploy applications, manage domains, and configure server resources. CWE-94 (Improper Control of Generation of Code / Code Injection) indicates that user-supplied input reaches a code or command evaluation context without adequate neutralization - in this case, crafted admin requests cause the server to invoke OS-level commands. The CPE 'cpe:2.3:a:eclipse_foundation:eclipse_glassfish:*:*:*:*:*:*:*:*' indicates affected versions are not yet bounded in NVD, suggesting all maintained branches under the Eclipse Foundation should be presumed in scope until the vendor advisory specifies otherwise.
RemediationAI
No vendor-released patch version is identified in the input data at time of analysis; consult the Eclipse Foundation coordination issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/87 for the authoritative fixed release. Until a patched version is applied, restrict network reachability of the GlassFish Administration Console (default TCP 4848) to a dedicated management VLAN or jump host, enforce strong, unique credentials for all admin accounts and rotate any credentials suspected of exposure, disable any unused admin accounts, and run the domain as a low-privilege OS user so that a successful code injection does not yield root or Administrator on the host (trade-off: may require reconfiguring file permissions on the domain directory). Monitor admin console access logs for unusual requests and configuration changes as a detective control.
More in Eclipse Glassfish
View allRemote code execution in Eclipse GlassFish allows remote attackers to evaluate arbitrary Expression Language (EL) expres
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30939
GHSA-96v6-hq43-x9h4