CVE-2026-2586
CriticalCVSS 9.1Exploitation Probability (EPSS)
Elevated risk53th percentile — higher than 53% of all known CVEs
Summary
An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.
Risk Assessment
The risk is that an attacker with a user account can take over the application server, potentially leading to data theft, application modification, or further attacks on the infrastructure.
Recommendation
Immediately upgrade Eclipse GlassFish to version 8.0.2, 7.1.1, or 7.0.26 depending on your branch. For versions 5.1.0–6.2.5, contact the vendor for patch information.
Original NVD description (English source)
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

