{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84630?format=json","vulnerability_id":"VCID-n2y7-zmsu-2qa9","summary":"An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.","aliases":[{"alias":"CVE-2026-2586"},{"alias":"GHSA-96v6-hq43-x9h4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41225?format=json","purl":"pkg:maven/org.glassfish.jsftemplating/jsftemplating@4.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.glassfish.jsftemplating/jsftemplating@4.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41228?format=json","purl":"pkg:maven/org.glassfish.main.admingui/console-common@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.glassfish.main.admingui/console-common@8.0.2"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/eclipse-ee4j/glassfish/releases/tag/8.0.2"},{"reference_url":"https://gitlab.eclipse.org/security/cve-assignment/-/issues/87","reference_id":"87","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-19T14:40:47Z/"}],"url":"https://gitlab.eclipse.org/security/cve-assignment/-/issues/87"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2586","reference_id":"CVE-2026-2586","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2586"},{"reference_url":"https://github.com/advisories/GHSA-96v6-hq43-x9h4","reference_id":"GHSA-96v6-hq43-x9h4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-96v6-hq43-x9h4"}],"weaknesses":[{"cwe_id":94,"name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."},{"cwe_id":917,"name":"Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","description":"The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2y7-zmsu-2qa9"}