CVE-2025-14340
published 2026-02-18CVE-2025-14340: Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator…
PriorityP346high7.3CVSS 4.0
AVNACLATNPRHUIAVCHVIHVAHSCHSIHSAHEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSPAUNRUVXREMURed
EXPLOIT
EPSS
1.00%
58.5th percentile
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| payara_platform | payara_server | 4.1.153.1 – 4.1.2.191.53 | — |
| payara_platform | payara_server | 5.181 – 5.201.2 | — |
| payara_platform | payara_server | 5.20.0 – 5.82.0 | — |
| payara_platform | payara_server | 5.2020.2 – 5.2022.5 | — |
| payara_platform | payara_server | 6.0.0 – 6.33.0 | — |
| payara_platform | payara_server | 6.2022.1 – 6.2025.11 | — |
| payara_platform | payara_server | 7.2024.1.Alpha1 – 7.2025.2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Payara Server - Cross-Site Scripting
nuclei·CVSS 7.3
CVE-2025-14340 [HIGH] Payara Server - Cross-Site Scripting
Payara Server - Cross-Site Scripting
Payara Server versions alert(document.domain)'
- 'badassfish'
condition: and
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 500
# digest: 4a0a00473045022100ebfdfa988504ce7e94c3243e704b971df4878153c7c7ad770698335697d1fd6d022007c5b5478f3e60ee6bbdc259b7a86ac36f1c8561cdad1bd69914bdd0c7394653:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2026-02-18
Published