CVE-2026-2586

CRITICAL

Eclipse Glassfish - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2586. PoCs published by DeepSecurityResearch.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-2586, an authenticated Expression Language (EL) injection vulnerability in GlassFish/Payara Administration Console. The exploit leverages insecure EL expression processing in the virtual server configuration interface to achieve remote command execution via reverse shell payloads.

Description

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Exploits (1)

nomisec WORKING POC 1 stars
by DeepSecurityResearch · poc
https://github.com/DeepSecurityResearch/CVE-2026-2586

This repository contains a functional Python exploit for CVE-2026-2586, an authenticated Expression Language (EL) injection vulnerability in GlassFish/Payara Administration Console. The exploit leverages insecure EL expression processing in the virtual server configuration interface to achieve remote command execution via reverse shell payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GlassFish/Payara Administration Console
Auth required
Prerequisites: Valid credentials for the GlassFish/Payara Administration Console · Network access to the administrative interface (typically port 4848)
mistral-large-3 · analyzed Jun 04, 2026 Full analysis →

Scores

CVSS v3 9.1
EPSS 0.0082
EPSS Percentile 52.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-917 CWE-94
Status published
Products (10)
eclipse/glassfish < 8.0.2
Eclipse Foundation/Eclipse Glassfish 5.1.0 - 6.2.5
Eclipse Foundation/Eclipse Glassfish 7.0.0 - 7.0.26
Eclipse Foundation/Eclipse Glassfish 7.1.0
Eclipse Foundation/Eclipse Glassfish 7.1.0 - 7.1.1
Eclipse Foundation/Eclipse Glassfish 8.0.0
Eclipse Foundation/Eclipse Glassfish 8.0.0 - 8.0.2
Eclipse Foundation/Eclipse Glassfish 8.0.2
org.glassfish.jsftemplating/jsftemplating 0 - 4.2.0Maven
org.glassfish.main.admingui/console-common 0 - 8.0.2Maven
Published May 19, 2026
Tracked Since May 19, 2026