Description
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.
Published: 2026-05-19
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical vulnerability allows remote attackers to execute arbitrary code on Glassfish servers running the gadget handler, due to the server‑side template rendering mechanism that processes .xml files. The handler evaluates user‑supplied values as Expression Language (EL) expressions without sanitization or escaping. Injecting expressions such as #{7*7} shows that the server evaluates these expressions, returning 49, confirming arbitrary EL inclusion. This flaw, classified as CWE‑917, can fully compromise the host, enabling data read/write, command execution, persistence, and lateral movement.

Affected Systems

The flaw affects Eclipse GlassFish servers in the following versions: from 8.0.0 through 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 through 7.0.25, fixed in 7.0.26. Versions 5.1.0 to 6.2.5 are not confirmed to be affected, and the impact of the vulnerability on those releases is unknown.

Risk and Exploitability

The CVSS score of 9.6 places this issue in the critical severity range, indicating a high impact if exploited. The EPSS score is < 1%, yet the absence of mitigation and the nature of the flaw suggest a substantial exploitation likelihood for an attacker with the ability to supply XML files. The vulnerability is not listed in the CISA KEV catalog, meaning there is no confirmed public exploitation yet, but the inherent risk remains significant. The most likely attack vector involves a remote attacker uploading a crafted XML file or otherwise feeding malicious EL expressions to the gadget handler, which the server then evaluates in a privileged context.

Generated by OpenCVE AI on June 29, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or update to a non‑vulnerable version of Glassfish as soon as an official fix is released
  • Disallow or tightly filter XML file uploads to prevent malicious content from reaching the gadget handler
  • Configure the server to disable EL processing or restrict the expression syntax that can be used within XML payloads
  • Deploy a web application firewall that inspects incoming XML and blocks suspicious EL expressions

Generated by OpenCVE AI on June 29, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29wv-cv7p-xjc2 GlassFish's gadget handler is vulnerable to RCE
History

Mon, 29 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Expression Language Injection in Glassfish XML Gadget Handler

Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Thu, 21 May 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Expression Language Injection in Glassfish XML Gadget Handler
First Time appeared Eclipse
Eclipse glassfish
Vendors & Products Eclipse
Eclipse glassfish

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
Weaknesses CWE-917
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Eclipse Glassfish
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-29T08:41:24.518Z

Reserved: 2026-02-16T14:14:23.896Z

Link: CVE-2026-2587

cve-icon Vulnrichment

Updated: 2026-05-19T14:40:21.559Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T15:16:28.577

Modified: 2026-06-17T10:31:21.703

Link: CVE-2026-2587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T10:00:11Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')