CVE-2026-2586CRITICAL 9.1EPSS p52.4%

CVE-2026-2586CVE-2026-2586

Description

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.82% probability of exploitation · percentile 52.4% · 2026-06-18T12:00:27Z
Published2026-05-19
Last modified2026-05-21

Underlying weaknesses· 2

CWE-94CWE-917

References

  1. https://gitlab.eclipse.org/security/cve-assignment/-/issues/87

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')cwe-9170%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-7388
CVE
CVE-2026-2587
CVE
Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability
CVE
CVE-2025-23120
CVE
CVE-2025-29902
CVE
CVE-2025-26264
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.