CVE-2026-2587

Name of the Vulnerable Software and Affected Versions Eclipse GlassFish version 8.0.0 Eclipse GlassFish versions prior to 7.1.0

Description A critical Expression Language (EL) injection issue exists in the server-side template rendering mechanism used by the GlassFish gadget handler. The application processes .xml files and evaluates user-supplied values without proper sanitization or escaping. This allows a remote attacker to inject expressions, such as #{7*7}, to achieve remote code execution, which can lead to full compromise of the underlying host, including reading or modifying data, executing arbitrary commands, establishing persistence, and lateral movement.

Recommendations Restrict the processing of untrusted XML input. Monitor Eclipse security advisories for remediation guidance.