A critical vulnerability allows remote attackers to execute arbitrary code on servers running the Glassfish gadget handler. The flaw arises from the server’s handling of .xml files wherein user‑supplied values are evaluated as Expression Language (EL) expressions without proper sanitization or escaping. Injecting expressions such as #{7*7} demonstrates that the EL engine evaluates the payload, returning 49, confirming that arbitrary expression evaluation is possible. The vulnerability is classified as CWE‑917, reflecting the dangerous EL injection that can lead to full compromise of the underlying host, including data tampering, command execution, persistence mechanisms, and lateral movement.

The vulnerability affects the Eclipse Glassfish server, specifically the gadget handler responsible for processing XML payloads. No specific vendor‑supplied version numbers are listed, so any Glassfish installation that includes the gadget handler and processes XML files is potentially at risk. Users should review their deployments for the presence of this component.

The CVSS score of 9.6 places this issue in the critical severity range, indicating a high impact if exploited. The EPSS score is not available, yet the absence of mitigation and the nature of the flaw suggest a substantial exploitation likelihood for an attacker with the ability to supply XML files. The vulnerability is not listed in the CISA KEV catalog, meaning there is no confirmed public exploitation yet, but the inherent risk remains significant. The most likely attack vector involves a remote attacker uploading a crafted XML file or otherwise feeding malicious EL expressions to the gadget handler, which the server then evaluates in a privileged context.