CVE-2025-14340 PUBLISHED

Admin Account Takeover via malicious URL payload

Assigner: Payara
Reserved: 09.12.2025 Published: 18.02.2026 Updated: 18.02.2026

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	High
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Payara Platform
Product	Payara Server
Versions	Default: unaffected affected from 4.1.153.1 to 4.1.2.191.53 (incl.) affected from 5.20.0 to 5.82.0 (incl.) affected from 6.0.0 to 6.33.0 (incl.) affected from 7.2024.1.Alpha1 to 7.2025.2 (incl.) affected from 6.2022.1 to 6.2025.11 (incl.) affected from 5.2020.2 to 5.2022.5 (incl.) affected from 5.181 to 5.201.2 (incl.) Version 4.1.2.191.54 is unaffected Version 5.83.0 is unaffected Version 6.34.0 is unaffected Version 7.2026.1 is unaffected

Solutions

You must upgrade to an unaffected version.

Credits

Camilo Galdos <camilo.galdos@deepsecurity.pe> finder

References

https://docs.payara.fish/enterprise/docs/Security/Security%20Fix%20List.html

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

CAPEC-173: Action Spoofing