Skip to main content

Eclipse GlassFish CVE-2026-2587

| EUVDEUVD-2026-30941 CRITICAL
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-05-19 eclipse GHSA-29wv-cv7p-xjc2
9.6
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from Vendor (eclipse) · only source for this CVE.

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 19, 2026 - 15:02 EUVD
Analysis Generated
May 19, 2026 - 15:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 22 maven packages depend on org.glassfish.jsftemplating:jsftemplating (20 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionCVE.org

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

AnalysisAI

Remote code execution in Eclipse GlassFish allows remote attackers to evaluate arbitrary Expression Language (EL) expressions through the gadget handler's server-side template rendering of .xml files, leading to full host compromise. The vulnerability (CVSS 9.6, CWE-917) requires user interaction but no authentication, and is demonstrable by submitting payloads like #{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Eclipse GlassFish is the open-source Jakarta EE (formerly Java EE) reference application server maintained under the Eclipse Foundation. The flaw maps to CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), a class of injection where user-controlled data is concatenated into an EL context - typically the Unified EL used by JSP/JSF/Facelets - and then evaluated by the EL processor. In this case, the gadget handler parses .xml files and substitutes user-supplied values into a template that subsequently invokes EL evaluation without sanitizing or escaping #{...} or ${...} sequences, so any expression the attacker controls can reach Java method-binding resolvers and execute arbitrary logic in the server JVM. The affected CPE is cpe:2.3:a:eclipse_foundation:eclipse_glassfish across all versions per the published data.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data; consult the Eclipse Foundation CVE assignment issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/86 and the GlassFish release notes for the fixed build and upgrade accordingly. Until a fixed version is applied, restrict network access to the GlassFish administration and gadget handler endpoints to trusted management networks via firewall or reverse-proxy ACLs (side effect: remote admin workflows must move to VPN/bastion), disable or remove the gadget handler component if it is not required in your deployment (side effect: any dashboards or portlets relying on .xml gadget rendering will break), and add a WAF rule blocking request parameters containing #{ or ${ sequences destined for gadget handler URIs (side effect: legitimate content containing those tokens will be rejected, so tune to the gadget paths only). Audit existing .xml gadget definitions for tampering and rotate any credentials stored in the server's domain configuration if exposure is suspected.

Share

CVE-2026-2587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy