What is the CVSS score of EUVD-2026-30941?

EUVD-2026-30941 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Eclipse GlassFish are affected by EUVD-2026-30941?

Eclipse GlassFish contains a critical remote code execution vulnerability (CVSS 9.6) allowing unauthenticated attackers to execute arbitrary code and fully compromise affected servers through…. A patch is available.

How to fix or mitigate EUVD-2026-30941?

Within 24 hours: Inventory all Eclipse GlassFish instances across the organization and audit application logs for XML file processing errors or suspicious expression language patterns. Within 7 days: Implement network segmentation to restrict GlassFish server exposure; deploy Web Application Firewall rules to block expression language payloads (e.g., patterns matching #{...}); disable XML file upload functionality where operationally feasible. Within 30 days: Establish automated monitoring of Eclipse GlassFish security advisories; develop and test a migration path to patched versions when vendor releases updates.

Eclipse GlassFish EUVD-2026-30941

| CVE-2026-2587 CRITICAL

Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)

2026-05-19 eclipse

GHSA-29wv-cv7p-xjc2

RCE

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 19, 2026 - 15:02 EUVD

Analysis Generated

May 19, 2026 - 15:00 vuln.today

DescriptionNVD

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

AnalysisAI

{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RemediationAI

{...}); disable XML file upload functionality where operationally feasible. Within 30 days: Establish automated monitoring of Eclipse GlassFish security advisories; develop and test a migration path to patched versions when vendor releases updates.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30941 vulnerability details – vuln.today

Back

Eclipse GlassFish EUVD-2026-30941

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code