{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/el-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-2587"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlassFish"],"_cs_severities":["critical"],"_cs_tags":["rce","el-injection","glassfish","cve-2026-2587"],"_cs_type":"advisory","_cs_vendors":["Eclipse Foundation"],"content_html":"\u003cp\u003eA critical Remote Code Execution vulnerability, CVE-2026-2587, has been identified in Eclipse GlassFish. The vulnerability lies in the GlassFish admin console gadget handler.  The application processes \u003ccode\u003e.xml\u003c/code\u003e files fetched from a URL supplied via the \u003ccode\u003egadget=\u003c/code\u003e query parameter and evaluates user-supplied values inside `` attributes through the Java Expression Language (EL) engine without sanitization. A public exploit PoC has been published, increasing the risk to unpatched GlassFish servers. The exploit, available on Sploitus, targets the \u003ccode\u003e/common/gadgets/gadget.jsf\u003c/code\u003e endpoint and can be triggered via CSRF if an admin session is active. The vulnerability affects Eclipse GlassFish versions prior to 7.1.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker hosts a malicious XML file containing EL expressions (e.g., \u003ccode\u003e#{7*7}\u003c/code\u003e) on a server.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a CSRF page containing an iframe that targets the vulnerable GlassFish instance.\u003c/li\u003e\n\u003cli\u003eThe CSRF page is delivered to a logged-in administrator via email or other means.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser loads the CSRF page, triggering the iframe.\u003c/li\u003e\n\u003cli\u003eThe iframe sends a GET request to \u003ccode\u003e/common/gadgets/gadget.jsf\u003c/code\u003e with the \u003ccode\u003egadget\u003c/code\u003e parameter pointing to the attacker\u0026rsquo;s hosted XML file.\u003c/li\u003e\n\u003cli\u003eThe GlassFish server fetches the XML file from the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe GlassFish server evaluates the EL expression within the \u003ccode\u003eModulePrefs\u003c/code\u003e section of the XML file.\u003c/li\u003e\n\u003cli\u003eIf the EL expression contains malicious Java code, the server executes it, leading to remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2587 allows an attacker to execute arbitrary code on the GlassFish server. This could lead to complete system compromise, data theft, denial of service, or further lateral movement within the network. The availability of a public exploit increases the likelihood of exploitation, especially for organizations that have not yet patched their GlassFish instances. The CVSS score of 9.6 indicates the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Eclipse GlassFish to version 7.1.0 or later to patch CVE-2026-2587 (see References).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-2587 Exploitation Attempt via GET Request\u0026rdquo; to detect exploitation attempts (see Rules).\u003c/li\u003e\n\u003cli\u003eImplement CSRF protection measures to mitigate the risk of exploitation through compromised administrator sessions (general security best practice).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/common/gadgets/gadget.jsf\u003c/code\u003e with unusual \u003ccode\u003egadget\u003c/code\u003e parameter values, especially those pointing to external URLs (see References for vulnerable endpoint).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T22:01:00Z","date_published":"2026-05-20T22:01:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-glassfish-rce/","summary":"A remote code execution vulnerability (CVE-2026-2587) exists in Eclipse GlassFish due to unsanitized user-supplied values in XML attributes being evaluated by the Java Expression Language (EL) engine, and a public exploit is now available.","title":"Eclipse GlassFish EL Injection Vulnerability (CVE-2026-2587) Exploit Publicly Available","url":"https://feed.craftedsignal.io/briefs/2026-05-glassfish-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — El-Injection","version":"https://jsonfeed.org/version/1.1"}