CVE-2026-2586 — GlassFish's Administration Console is Vulnerable to RCE

Description

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

How to fix CVE-2026-2586

To remediate CVE-2026-2586, upgrade the affected package to a fixed version below.

Maven/org.glassfish.jsftemplating:jsftemplating—upgrade to 4.2.0 or later
—upgrade to 8.0.2 or later

Is CVE-2026-2586 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-2586.

Affected packages (2)

from 0, < 4.2.0
from 0, < 8.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-2586
PATCHgithub.com/eclipse-ee4j/glassfish
WEBgithub.com/eclipse-ee4j/glassfish/releases/tag/8.0.2
WEBgitlab.eclipse.org/security/cve-assignment/-/issues/87