RCE in Glassfish Gadget Handler via unsanitized EL in .xml
CVE-2026-2587 Published on May 19, 2026
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) expressions are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.
Vulnerability Analysis
CVE-2026-2587 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2026-2587 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2026-2587
Want to know whenever a new CVE is published for Eclipse Glassfish? stack.watch will email you.
Affected Versions
Eclipse Foundation Eclipse Glassfish:- Version 8.0.2, <= * is unaffected.