CVE-2026-2586

Severity CVSS v4.0:

Pending analysis

Type:

CWE-94 Code Injection

Publication date:

19/05/2026

Last modified:

19/05/2026

Description

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish&#39;s Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 9.10 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

9.10

Severity 3.x

CRITICAL

References to Advisories, Solutions, and Tools

https://gitlab.eclipse.org/security/cve-assignment/-/issues/87