Cyber Resilience

CVE-2026-2587

CriticalPublic PoCRCEUpdated

Published: 19 May 2026

Published
19 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0063 45.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2587 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Eclipse Glassfish. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed…

more

without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via unsanitized EL/template injection on server-side handler enables public app exploitation (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2586Same product: Eclipse Glassfish
CVE-2024-9342Same product: Eclipse Glassfish
CVE-2026-2332Same vendor: Eclipse
CVE-2026-41883Shared CWE-917
CVE-2026-1188Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2026-24457Same vendor: Eclipse
CVE-2026-5795Same vendor: Eclipse
CVE-2025-0728Same vendor: Eclipse

Affected Assets

eclipse
glassfish
≤ 8.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References