Skip to main content

Eclipse GlassFish CVE-2026-2586

| EUVDEUVD-2026-30939 CRITICAL
Code Injection (CWE-94)
2026-05-19 eclipse GHSA-96v6-hq43-x9h4
9.1
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (eclipse) · only source for this CVE.

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 15:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 22 maven packages depend on org.glassfish.jsftemplating:jsftemplating (20 direct, 2 indirect)
  • 14 maven packages depend on org.glassfish.main.admingui:console-common (12 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.2.0 and other introduced versions.

DescriptionCVE.org

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

AnalysisAI

Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to execute arbitrary operating system commands as the application service user. The flaw stems from improper input handling in admin panel requests (CWE-94), and while CVSS rates it 9.1 due to scope change and full CIA impact, exploitation requires high privileges (PR:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Eclipse GlassFish is the open-source Jakarta EE / Java EE reference application server, maintained by the Eclipse Foundation after Oracle transferred stewardship. The Administration Console is the web-based management interface (typically on port 4848) used to deploy applications, manage domains, and configure server resources. CWE-94 (Improper Control of Generation of Code / Code Injection) indicates that user-supplied input reaches a code or command evaluation context without adequate neutralization - in this case, crafted admin requests cause the server to invoke OS-level commands. The CPE 'cpe:2.3:a:eclipse_foundation:eclipse_glassfish:*:*:*:*:*:*:*:*' indicates affected versions are not yet bounded in NVD, suggesting all maintained branches under the Eclipse Foundation should be presumed in scope until the vendor advisory specifies otherwise.

RemediationAI

No vendor-released patch version is identified in the input data at time of analysis; consult the Eclipse Foundation coordination issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/87 for the authoritative fixed release. Until a patched version is applied, restrict network reachability of the GlassFish Administration Console (default TCP 4848) to a dedicated management VLAN or jump host, enforce strong, unique credentials for all admin accounts and rotate any credentials suspected of exposure, disable any unused admin accounts, and run the domain as a low-privilege OS user so that a successful code injection does not yield root or Administrator on the host (trade-off: may require reconfiguring file permissions on the domain directory). Monitor admin console access logs for unusual requests and configuration changes as a detective control.

Share

CVE-2026-2586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy