GlassFish Security Fixes Summary

Vulnerability Summary Severity Versions affected Fixed in version
CVE-2024-9342 Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts 6.3 MEDIUM 7.0.16 - 7.0.25 8.0.3, 7.0.26
CVE-2026-54512 jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation 8.1 HIGH 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 8.0.3, 7.1.1, 7.0.26
CVE-2026-54513 jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) 8.1 HIGH 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 8.0.3, 7.1.1, 7.0.26
CVE-2026-54514 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) 5.3 MEDIUM 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 8.0.3, 7.1.1, 7.0.26
CVE-2026-54516 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields 5.3 MEDIUM 8.0.0 - 8.0.2 8.0.3
CVE-2026-54517 jackson-databind has @JsonView bypass for setterless creator properties 5.3 MEDIUM 8.0.0 - 8.0.2 8.0.3
CVE-2026-54518 jackson-databind has a @JsonView bypass for unwrapped creator parameters 6.5 MEDIUM 8.0.0 - 8.0.2 8.0.3
CVE-2026-24457 9.8 CRITICAL - An unsafe parsing of OpenMQ's configuration, allows to read arbitrary files from a MQ Broker's server 9.8 CRITICAL < 8.0.2 8.0.2
CVE-2026-2586 GlassFish's Administration Console is Vulnerable to RCE 9.1 CRITICAL 7.0.16 - 8.0.1 8.0.2, 7.1.1, 7.0.26
CVE-2026-2587 GlassFish's gadget handler is vulnerable to RCE 9.6 CRITICAL 7.0.16 - 8.0.1 8.0.2, 7.1.1, 7.0.26
CVE-2020-27511 HIGH, 7.5 - Upgrade Woodstock to 6.0.3 with a security fix for prototype 7.5 HIGH < 8.0.0 8.0.0, 7.1.1, 7.0.26
CVE-2020-5258 HIGH, 7.7 - Upgrade dojo.js to 1.16.5 7.7 HIGH < 8.0.0 8.0.0, 7.1.0, 7.0.26
CVE-2024-10029 Eclipse GlassFish is vulnerable to Reflected XSS attacks through its Administration Console 4.5 MEDIUM 7.0.16 - 7.0.25 7.0.26
CVE-2024-10031 Eclipse GlassFish is vulnerable to Stored XSS attacks through configuration file modifications 5.8 MEDIUM 7.0.16 - 7.0.25 7.0.26
CVE-2024-10032 Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console 6.1 MEDIUM 7.0.16 - 7.0.25 7.0.26
CVE-2024-9343 Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console 6.1 MEDIUM 7.0.16 - 7.0.25 7.0.26
CVE-2025-12383 Eclipse Jersey has a Race Condition 9.4 CRITICAL 7.0.20 - 7.0.21 7.0.22
CVE-2024-9329 Eclipse Glassfish improperly handles http parameters 6.9 MEDIUM 7.0.16 7.0.17
CVE-2023-41080 Avoid protocol relative redirects in 6.1 MEDIUM < 7.0.10 7.0.10
CVE-2022-46337 GlassFish not affected because bundled Derby DB does not authenticate database users via LDAP 9.8 CRITICAL Not impacted

Generated at: 2026-07-12 18:23:22

Scroll to Top