cbcvebase.
CVE-2025-14340
published 2026-02-18

CVE-2025-14340: Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator…

PriorityP346high7.3CVSS 4.0
AVNACLATNPRHUIAVCHVIHVAHSCHSIHSAHEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSPAUNRUVXREMURed
EXPLOIT
EPSS
1.00%
58.5th percentile
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Affected

7 ranges
VendorProductVersion rangeFixed in
payara_platformpayara_server4.1.153.1 – 4.1.2.191.53
payara_platformpayara_server5.181 – 5.201.2
payara_platformpayara_server5.20.0 – 5.82.0
payara_platformpayara_server5.2020.2 – 5.2022.5
payara_platformpayara_server6.0.0 – 6.33.0
payara_platformpayara_server6.2022.1 – 6.2025.11
payara_platformpayara_server7.2024.1.Alpha1 – 7.2025.2
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.