Skip to content

7.0.26

Choose a tag to compare

@dmatej dmatej released this 27 Jun 21:41

Eclipse GlassFish is an application server, implementing Jakarta EE. This release is corresponding with the Jakarta EE 10 specification, which is a major feature release. Jakarta EE 10 requires JDK 11 as a minimum, but also officially works on JDK 17 and JDK 21.

GlassFish 7.0.26 is a final release, containing final Jakarta EE 10 APIs. It compiles and runs on JDK 11 to JDK 24. MicroProfile support requires JDK 17 or higher.

Since 7.0.26, the GlassFish 7.0.x branch is in maintenance mode with focus on security and stability. It mainly receives security fixes and important patches.

GlassFish 8 logo

Release overview

This update brings security fixes, a fix of memory leak in Jersey, and a few other small improvements and fixes. Mojarra is upgraded to 4.0.15, which proved to be a stable release without any regressions or known issues.

What's Changed

Security Fixes

  • Fixes CVE-2026-2586 9.1 CRITICAL - A critical Remote Code Execution (RCE) vulnerability in Admin Console
  • Fixes CVE-2026-2587 9.6 CRITICAL - An authenticated Remote Code Execution (RCE) vulnerability in Admin Console
  • Fixes CVE-2020-5258 - HIGH, 7.7 - Upgrade dojo.js to 1.16.5
  • Fixes CVE-2020-27511 - HIGH, 7.5 - Upgrade Woodstock to 6.0.3 with a security fix for prototype
  • Not exploitable by CVE-2022-46337 CRITICAL, 9.8. GlassFish not affected because bundled Derby DB does not authenticate database users via LDAP

Improvements

Bug Fixes

Component Upgrades

Full Changelog: 7.0.25...7.0.26