Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from Vendor (eclipse) · only source for this CVE.
CVSS VectorVendor: eclipse
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 22 maven packages depend on org.glassfish.jsftemplating:jsftemplating (20 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.2.0.
DescriptionCVE.org
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
AnalysisAI
Remote code execution in Eclipse GlassFish allows remote attackers to evaluate arbitrary Expression Language (EL) expressions through the gadget handler's server-side template rendering of .xml files, leading to full host compromise. The vulnerability (CVSS 9.6, CWE-917) requires user interaction but no authentication, and is demonstrable by submitting payloads like #{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Eclipse GlassFish is the open-source Jakarta EE (formerly Java EE) reference application server maintained under the Eclipse Foundation. The flaw maps to CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), a class of injection where user-controlled data is concatenated into an EL context - typically the Unified EL used by JSP/JSF/Facelets - and then evaluated by the EL processor. In this case, the gadget handler parses .xml files and substitutes user-supplied values into a template that subsequently invokes EL evaluation without sanitizing or escaping #{...} or ${...} sequences, so any expression the attacker controls can reach Java method-binding resolvers and execute arbitrary logic in the server JVM. The affected CPE is cpe:2.3:a:eclipse_foundation:eclipse_glassfish across all versions per the published data.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data; consult the Eclipse Foundation CVE assignment issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/86 and the GlassFish release notes for the fixed build and upgrade accordingly. Until a fixed version is applied, restrict network access to the GlassFish administration and gadget handler endpoints to trusted management networks via firewall or reverse-proxy ACLs (side effect: remote admin workflows must move to VPN/bastion), disable or remove the gadget handler component if it is not required in your deployment (side effect: any dashboards or portlets relying on .xml gadget rendering will break), and add a WAF rule blocking request parameters containing #{ or ${ sequences destined for gadget handler URIs (side effect: legitimate content containing those tokens will be rejected, so tune to the gadget paths only). Audit existing .xml gadget definitions for tampering and rotate any credentials stored in the server's domain configuration if exposure is suspected.
More in Eclipse Glassfish
View allRemote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30941
GHSA-29wv-cv7p-xjc2