CVE-2026-2587

描述

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

受影響套件(2)

• Maven/org.glassfish.jsftemplating:jsftemplatingfrom 0, < 4.2.0
• Maven/org.glassfish.main.admingui:adminguifrom 0, < 8.0.2

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2587
• PATCHhttps://github.com/eclipse-ee4j/glassfish
• WEBhttps://github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2
• WEBhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/86