CVE Catalog

CVE-2026-2586

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.82%

53th percentile — higher than 53% of all known CVEs

Summary

An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.

Risk Assessment

The risk is that an attacker with a user account can take over the application server, potentially leading to data theft, application modification, or further attacks on the infrastructure.

Recommendation

Immediately upgrade Eclipse GlassFish to version 8.0.2, 7.1.1, or 7.0.26 depending on your branch. For versions 5.1.0–6.2.5, contact the vendor for patch information.

Original NVD description (English source)

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS