CVE-2026-2586
CRITICALEclipse Glassfish - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Title source: ruleExploitation Summary
EIP tracks 1 public exploit for CVE-2026-2586. PoCs published by DeepSecurityResearch.
AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-2586, an authenticated Expression Language (EL) injection vulnerability in GlassFish/Payara Administration Console. The exploit leverages insecure EL expression processing in the virtual server configuration interface to achieve remote command execution via reverse shell payloads.
Description
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.
Exploits (1)
This repository contains a functional Python exploit for CVE-2026-2586, an authenticated Expression Language (EL) injection vulnerability in GlassFish/Payara Administration Console. The exploit leverages insecure EL expression processing in the virtual server configuration interface to achieve remote command execution via reverse shell payloads.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H