CVE-2026-2587 | THREATINT

Description

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

PUBLISHED Reserved 2026-02-16 | Published 2026-05-19 | Updated 2026-05-20 | Assigner eclipse

CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-917 Improper neutralization of special elements used in an expression language statement ('expression language injection')

Product status

Default status

affected

8.0.2 (semver)

unaffected

Credits

Camilo G. AkA Dedalo (DeepSecurity Perú) finder

References

gitlab.eclipse.org/security/cve-assignment/-/issues/86

cve.org (CVE-2026-2587)

nvd.nist.gov (CVE-2026-2587)

Download JSON