Eclipse GlassFish Remote Code Execution Vulnerability via Expression Language Injection

Vulnerability

A critical remote code execution vulnerability has been identified in Eclipse GlassFish versions 8.0.0 and prior to 7.1.0. This vulnerability arises in the server-side template rendering of the Glassfish gadget handler, where the application processes .xml files and evaluates user-supplied values using Expression Language (EL). The issue stems from improper sanitization and escaping of EL expressions, allowing remote attackers to inject and execute arbitrary code. Exploitation of this vulnerability could lead to full compromise of the underlying host, including unauthorized data access and modification, execution of arbitrary commands, persistence, and lateral movement within the network.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential for full system compromise.

Added: May 19, 2026, 3:27 PM

Updated: May 19, 2026, 3:27 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.8

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eclipse GlassFish Remote Code Execution Vulnerability via Expression Language Injection

Vulnerability

Impact

Affected Products

Eclipse GlassFish

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating