Remote Code Execution Vulnerability in Glassfish Gadget Handler from Eclipse
CVE-2026-2587

9.6CRITICAL

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Glassfish
Vendor: CVE Published:; 19 May 2026

🔔 Create Eclipse Foundation Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-2587?

A serious Remote Code Execution vulnerability exists in the server-side template rendering mechanism of the Glassfish gadget handler. This flaw arises from the improper handling of user-supplied values in .xml files, which allows attackers to inject expressions that are evaluated without adequate sanitization. By executing these expressions, an attacker can gain complete control over the affected server, enabling them to read or modify sensitive data, execute arbitrary commands, and achieve persistence within the network. This vulnerability highlights the critical need for robust input validation and secure coding practices in server applications.

Affected Version(s)

Eclipse Glassfish 8.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-2587-Exploit-POC
Created by Bhanunamikaze

References

https://gitlab.eclipse.org/security/cve-assignment/-/issu...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 21, 2026
👾
Exploit known to exist
May 21, 2026
Vulnerability published
May 19, 2026
Vulnerability Reserved
Feb 16, 2026

Credit

Camilo G. AkA Dedalo (DeepSecurity Perú)

CVE-2026-2587 Data

JSON