
PEACH
Un cadre d’isolation des locataires
CVE-2026-2587 is a critical Remote Code Execution (RCE) vulnerability in the server-side template rendering mechanism of Eclipse GlassFish's gadget handler, classified as an Expression Language (EL) Injection (CWE-917). The vulnerability affects org.glassfish.jsftemplating:jsftemplating versions before 4.2.0 and org.glassfish.main.admingui:admingui versions before 8.0.2 (Eclipse GlassFish before 8.0.2). It was published on May 19, 2026, with a patch released the same day. The CVSS v3.1 base score is 9.6 (Critical) (GitHub Advisory, Eclipse CVE Assignment).
The root cause is improper neutralization of special elements in Expression Language statements (CWE-917) within GlassFish's gadget handler. The application processes .xml files and evaluates user-supplied values in a context where EL expressions (e.g., #{7*7}) are resolved server-side without sanitization or escaping. An attacker can inject malicious EL expressions into XML gadget parameters, which are then evaluated by the server, confirming RCE when the server returns the computed result (e.g., 49). A public PoC exploit script (CVE-2026-2587-Exploit-POC.py) is available that authenticates to the admin console, hosts a malicious XML probe with an EL canary, triggers the gadget.jsf endpoint, and confirms RCE (GitHub Advisory, PoC GitHub).
Successful exploitation allows a remote attacker to fully compromise the underlying host running GlassFish. Consequences include arbitrary command execution, reading and modifying sensitive data, establishing persistence on the compromised system, and lateral movement within the broader infrastructure. All three security pillars — confidentiality, integrity, and availability — are rated High, and the changed scope indicates impact can extend beyond the vulnerable component itself (GitHub Advisory, Eclipse CVE Assignment).
gadget.jsf endpoint.--username and --password parameters; default or weak credentials may be targeted).--listen) to serve a crafted .xml file containing an EL canary expression such as #{7*7}.gadget.jsf endpoint with a parameter pointing to the attacker-controlled XML file URL (--callback-url), causing the server to fetch and process the malicious XML.49 for #{7*7}), confirming RCE capability.#{Runtime.getRuntime().exec('...')}) to execute arbitrary OS commands, establish a reverse shell, exfiltrate data, or deploy persistence mechanisms (PoC GitHub, GitHub Advisory).gadget.jsf endpoint with parameters referencing external URLs; outbound HTTP connections from the GlassFish server to attacker-controlled hosts (used to fetch malicious XML files); unexpected outbound connections on non-standard ports (reverse shell activity)./gadget.jsf or similar endpoints with external URL parameters; server-side EL evaluation errors or unexpected numeric outputs (e.g., 49) in application logs; authentication events from unfamiliar IP addresses against the admin console..xml files or web shells written to the GlassFish deployment or temp directories; new cron jobs, scheduled tasks, or startup scripts created by the GlassFish service account.bash, sh, cmd.exe, curl, wget, python, nc); unexpected network listeners opened by the GlassFish process (PoC GitHub, GitHub Advisory).Upgrade to Eclipse GlassFish 8.0.2 or later, which patches the vulnerable org.glassfish.main.admingui:admingui component, and upgrade org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations: restrict network access to the GlassFish admin console (port 4848) to trusted IP ranges only; implement WAF rules to block EL injection patterns (e.g., #{, ${) in HTTP request parameters; disable EL evaluation in template contexts where user input is present if not required for functionality; and apply strict input validation and output encoding for all user-supplied values processed by the template rendering engine.
The vulnerability was noted in the OmniFish blog covering GlassFish 8.0.2's security fixes shortly after disclosure (OmniFish Blog). CISA included it in their weekly vulnerability bulletin (SB26-145), indicating recognition by the U.S. cybersecurity authority (CISA Bulletin). Community discussion was observed on Bluesky and security aggregator sites, and the vulnerability was featured in a PoC-of-the-week roundup in early June 2026 (PoC Week). Overall community sentiment reflects concern given the critical CVSS score and public PoC availability, though no widespread exploitation has been confirmed.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."