This page lists publicly disclosed CVE vulnerabilities affecting eclipse glassfish (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-2587 | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise | [email protected] | 9.6 | 0.14% | 2026-05-19 | 2026-05-21 |
| CVE-2026-2586 | An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. | [email protected] | 9.1 | 0.30% | 2026-05-19 | 2026-05-21 |
| CVE-2024-9408 | In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. | [email protected] | 8.9 | 0.30% | 2025-07-16 | 2025-07-16 |
| CVE-2024-9343 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | [email protected] | 6.1 | 0.15% | 2025-07-16 | 2025-07-16 |
| CVE-2024-9342 | In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. | [email protected] | 6.3 | 0.40% | 2025-07-16 | 2025-07-16 |
| CVE-2024-10032 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | [email protected] | 6.1 | 0.12% | 2025-07-16 | 2025-07-16 |
| CVE-2024-10031 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. | [email protected] | 5.8 | 0.11% | 2025-07-16 | 2025-07-16 |
| CVE-2024-10029 | In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. | [email protected] | 4.5 | 0.15% | 2025-07-16 | 2025-07-16 |
| CVE-2024-9329 | In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. | [email protected] | 6.9 | 0.60% | 2024-09-30 | 2024-11-21 |
| CVE-2024-8646 | In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). | [email protected] | 6.1 | 0.78% | 2024-09-11 | 2024-09-18 |
| CVE-2023-5763 | In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. | [email protected] | 6.8 | 0.15% | 2023-11-03 | 2024-11-21 |
| CVE-2022-2712 | In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code. | [email protected] | 6.5 | 0.61% | 2023-01-27 | 2024-11-21 |