📦

glassfish

Vendor: eclipse

Actively Exploited 0 CISA KEV List

PoC / Exploits 0 Code Available

Total RCEs 2 Remote Access

Total CVEs 18 Total Indexed

Avg. EPSS 0.32% Exploit Prob.

Latest CVE CVE-2026-2587 May 19

Security Vulnerability Index

Page 1 / 2

9.6 CVSS

CVE-2026-2587

RCE

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement.

EPSS: 0.15%

Severity: CRITICAL

May 19, 2026

9.1 CVSS

CVE-2026-2586

RCE

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

EPSS: 0.30%

Severity: CRITICAL

May 19, 2026

8.9 CVSS

CVE-2024-9408

In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.

EPSS: 0.30%

Severity: HIGH

Jul 16, 2025

6.1 CVSS

CVE-2024-9343

In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.

EPSS: 0.15%

Severity: MEDIUM

Jul 16, 2025

6.3 CVSS

CVE-2024-9342

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

EPSS: 0.40%

Severity: MEDIUM

Jul 16, 2025

6.1 CVSS

CVE-2024-10032

In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.

EPSS: 0.12%

Severity: MEDIUM

Jul 16, 2025

5.8 CVSS

CVE-2024-10031

In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system.

EPSS: 0.11%

Severity: MEDIUM

Jul 16, 2025

4.5 CVSS

CVE-2024-10029

In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console.

EPSS: 0.15%

Severity: MEDIUM

Jul 16, 2025

6.9 CVSS

CVE-2024-9329

In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

EPSS: 0.58%

Severity: MEDIUM

Sep 30, 2024

6.1 CVSS

CVE-2024-8646

In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/').

EPSS: 0.78%

Severity: MEDIUM

Sep 11, 2024

Displaying 10 of 18 Total Entries

1 2

Total 2 Sections