GCVE - cpe:2.3:a:eclipse_foundation:eclipse

Approved changes feed: RSS · Atom

cpe:2.3:a:eclipse_foundation:eclipse_glassfish:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Eclipse Foundation (`2c315c48-0111-5572-bbde-cc70cfafb2e9`)
Product	Eclipse Glassfish (`da1419ae-6598-5b02-b4a2-f6f1ccec596b`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-2587`	vulnerable	2026-06-03 15:19:24.556497	Details available CRITICAL (9.6) A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. Published: 2026-05-19T14:03:18.650Z Updated: 2026-05-20T10:26:19.337Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignment/-/issues/86	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-2586`	vulnerable	2026-06-03 15:19:24.556135	Details available CRITICAL (9.1) An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. Published: 2026-05-19T14:12:06.459Z Updated: 2026-05-20T10:24:59.460Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignment/-/issues/87	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-9408`	vulnerable	2026-06-03 14:58:21.175067	Details available In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. Published: 2025-07-16T11:15:03.412Z Updated: 2025-07-16T15:53:13.391Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/38	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-9343`	vulnerable	2026-06-03 14:58:21.037722	Details available In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. Published: 2025-07-16T10:47:55.853Z Updated: 2025-07-16T14:39:10.179Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/37	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-9342`	vulnerable	2026-06-03 14:58:21.036200	Details available In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. Published: 2025-07-16T10:14:28.966Z Updated: 2025-07-16T14:39:49.251Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/33	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-8646`	vulnerable	2026-06-03 14:58:19.046815	Eclipse Glassfish: URL redirection vulnerability to untrusted sites MEDIUM (6.1) In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). Published: 2024-09-11T13:26:47.468Z Updated: 2024-09-11T13:40:06.290Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163 https://gitlab.eclipse.org/security/cve-assignement/-/issues/34 https://github.com/eclipse-ee4j/glassfish/pull/24655 https://glassfish.org/download	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-10032`	vulnerable	2026-06-03 14:54:04.779494	Details available In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. Published: 2025-07-16T11:07:55.848Z Updated: 2025-07-16T14:38:55.074Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/42	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-10031`	vulnerable	2026-06-03 14:54:04.779143	Details available In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. Published: 2025-07-16T11:02:51.419Z Updated: 2025-07-16T14:38:59.823Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/41	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-10029`	vulnerable	2026-06-03 14:54:04.778020	Details available In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. Published: 2025-07-16T10:55:35.408Z Updated: 2025-07-16T14:39:05.571Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/cve-assignement/-/issues/40	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Eclipse Glassfish

PURL mappings

Vulnerability references

Contribute