CVE-2026-2587: Critical RCE in Glassfish Gadget Handler

/CRITICAL /CVSS 9.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-917
CVE-2026-2587: Critical RCE in Glassfish Gadget Handler

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-2587, has been identified in the server-side template rendering mechanism of the Glassfish gadget handler. The National Vulnerability Database reports this flaw stems from improper sanitization of user-supplied values within XML files, where Expression Language (EL) ‘expressions’ are processed.

Attackers can inject EL expressions, such as #{7*7}, to confirm server-side evaluation. This successful injection demonstrates the ability to execute arbitrary code, leading to full compromise of the underlying host. The National Vulnerability Database rates this vulnerability with a CVSS score of 9.6 (CRITICAL), highlighting the severe implications including data exfiltration, command execution, persistence, and lateral movement.

While specific affected products were not detailed by the National Vulnerability Database, organizations utilizing Glassfish or similar server-side template rendering technologies that process user-supplied XML should assume exposure. The attacker’s calculus here is straightforward: exploit an unsanitized input to gain RCE, a direct path to full system control. Defenders must prioritize patching and rigorous input validation.

What This Means For You

  • If your organization uses Glassfish or any server-side template rendering that processes untrusted XML input, you are at severe risk from CVE-2026-2587. Immediately identify all instances of Glassfish gadget handlers in your environment and apply any available patches. Scrutinize input validation mechanisms for EL expressions in XML processing to prevent remote code execution.

Indicators of Compromise

IDTypeIndicator
CVE-2026-2587 RCE Glassfish gadget handler
CVE-2026-2587 RCE server-side template rendering mechanism
CVE-2026-2587 RCE Expression Language (EL) injection via .xml files

Written by SCW Vulnerability Desk

🔎
Track Critical Vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma