CVE-2026-2586
CVSS Score
9.1
EPSS Score
0.8%
EPSS Percentile
53th
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.
| CWE | CWE-94 CWE-917 |
| Vendor | eclipse foundation |
| Product | eclipse glassfish |
| Published | May 19, 2026 |
| Last Updated | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for eclipse foundation eclipse glassfish
Be the first to know when new critical vulnerabilities affecting eclipse foundation eclipse glassfish are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Eclipse Foundation / Eclipse Glassfish
7.0.0 < 7.0.26 7.1.0 < 7.1.1 8.0.0 < 8.0.2
References
Credits
Camilo G. AkA Dedalo (DeepSecurity Perú) Gabriel A. Hinostroza Ayala (DeepSecurity Perú)