CVE-2026-2587 describes a critical server-side Expression Language (EL) injection issue in a Glassfish-related gadget handling path. The supplied description indicates that untrusted values from .xml input are evaluated without proper sanitization or escaping, and a test payload such as #{7*7} returns 49, confirming server-side expression evaluation. The reported impact is severe: remote attackers may be [truncated]
CRITICALEclipse FoundationCVE published 2026-05-19
CVE-2026-2586 is a critical authenticated remote code execution issue in GlassFish’s Administration Console. The supplied record says a user with access to the panel can send crafted requests that lead to arbitrary operating system command execution under the privileges of the application service user. Because exploitation requires high privileges but no user interaction, and the impact spans confidential [truncated]
