7.0.26
Eclipse GlassFish is an application server, implementing Jakarta EE. This release is corresponding with the Jakarta EE 10 specification, which is a major feature release. Jakarta EE 10 requires JDK 11 as a minimum, but also officially works on JDK 17 and JDK 21.
GlassFish 7.0.26 is a final release, containing final Jakarta EE 10 APIs. It compiles and runs on JDK 11 to JDK 24. MicroProfile support requires JDK 17 or higher.
Since 7.0.26, the GlassFish 7.0.x branch is in maintenance mode with focus on security and stability. It mainly receives security fixes and important patches.
Release overview
This update brings security fixes, a fix of memory leak in Jersey, and a few other small improvements and fixes. Mojarra is upgraded to 4.0.15, which proved to be a stable release without any regressions or known issues.
What's Changed
Security Fixes
- Fixes CVE-2026-2586 9.1 CRITICAL - A critical Remote Code Execution (RCE) vulnerability in Admin Console
- Fixes CVE-2026-2587 9.6 CRITICAL - An authenticated Remote Code Execution (RCE) vulnerability in Admin Console
- Fixes CVE-2020-5258 - HIGH, 7.7 - Upgrade dojo.js to 1.16.5
- Fixes CVE-2020-27511 - HIGH, 7.5 - Upgrade Woodstock to 6.0.3 with a security fix for prototype
- Not exploitable by CVE-2022-46337 CRITICAL, 9.8. GlassFish not affected because bundled Derby DB does not authenticate database users via LDAP
Improvements
Bug Fixes
- Fix FQCN of ProxyHandlerImpl by @pzygielo in #25523
- Integrate Jersey
- Do not swallow InterruptedException by @pzygielo in #25603
Component Upgrades
- Bump Weld from 5.1.5 to 5.1.6 by @pzygielo in #25582
- Upgrade command-security and easy mock to support build on Java 25 by @arjantijms in #25950
- Upgrade Mojarra to 4.0.15 by @OndroMih in #26071
- Upgrade JSF templating to 4.0.5 by @OndroMih in #26065
- Upgrade woodstock to 6.0.3 (dojo.js to 1.16.5, prototype.js to a fixed version) by @OndroMih in #26075
- Bump OpenMQ from 6.5.1 to 6.5.2 by @pzygielo in #26119
- Synchronization with later branches 7.x and main by @dmatej in #26111
- https://commons.apache.org/proper/commons-io/changes.html: 2.18.0 => 2.22.0
- https://commons.apache.org/proper/commons-lang/changes.html: 3.17.0 => 3.20.0
- JBoss Logging
- https://github.com/jboss-javassist/javassist/releases/tag/rel_3_31_0_ga
- https://asm.ow2.io/versions.html: 9.8 => 9.10.1
- Ant
- Upgrades Jackson because Jersey upgrade requires Jackson >= 2.19.0
- FasterXML/java-classmate@classmate-1.7.0...classmate-1.7.3
- https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.5
- https://github.com/eclipse-ee4j/metro-mimepull/releases/tag/1.11.0
- https://docs.junit.org/5.14.4/release-notes.html
- https://github.com/apache/felix-dev/tree/master/webconsole#releases: 5.0.10 => 5.0.18
Full Changelog: 7.0.25...7.0.26
