CVE-2026-2587
published 2026-05-19CVE-2026-2587: A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The…
PriorityP262critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.63%
45.5th percentile
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | glassfish | < 8.0.2 | 8.0.2 |
| eclipse_foundation | eclipse_glassfish | >= 7.0.0 < 7.0.26 | 7.0.26 |
| eclipse_foundation | eclipse_glassfish | >= 7.1.0 < 7.1.1 | 7.1.1 |
| eclipse_foundation | eclipse_glassfish | >= 8.0.0 < 8.0.2 | 8.0.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Eclipse Glassfish up to 7.0.x/8.0.0 Gadget expression language injection
vuldb·2026-05-19·CVSS 9.6
CVE-2026-2587 [CRITICAL] Eclipse Glassfish up to 7.0.x/8.0.0 Gadget expression language injection
A vulnerability classified as critical was found in Eclipse Glassfish up to 7.0.x/8.0.0. This vulnerability affects unknown code of the component Gadget Handler. The manipulation results in improper neutralization of special elements used in an expression language statement.
This vulnerability is identified as CVE-2026-2587. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
GlassFish's gadget handler is vulnerable to RCE
ghsa·2026-05-19
CVE-2026-2587 [CRITICAL] CWE-917 GlassFish's gadget handler is vulnerable to RCE
GlassFish's gadget handler is vulnerable to RCE
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
GHSA
GHSA-29wv-cv7p-xjc2: A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handl
ghsa_unreviewed·2026-05-19
CVE-2026-2587 [CRITICAL] CWE-917 GHSA-29wv-cv7p-xjc2: A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handl
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published