CVE-2022-37422

HIGH

Payara < 4.1.2.191.36 and < 5.2022.3 - Unauthenticated Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-37422. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains source code and documentation related to Payara Server, including API files and contribution guidelines. It does not include exploit code but provides technical details about the software architecture and development processes.

Description

Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/payara__Payara_CVE-2022-37422_5-2022-2

View Code ZIP pw:eip

This repository contains source code and documentation related to Payara Server, including API files and contribution guidelines. It does not include exploit code but provides technical details about the software architecture and development processes.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Payara Server

No auth needed

Prerequisites: Access to Payara Server source code

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://www.payara.fish/downloads/

Release Notes, Vendor Advisory x_refsource_misc

https://blog.payara.fish/august-community-5-release

Scores

CVSS v3 7.5

EPSS 0.0045

EPSS Percentile 64.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (3)

fish.payara.api/payara-bom 0 - 5.2022.3Maven

payara/payara < 4.1.2.191.36

payara/payara < 5.2022.3

Published Aug 18, 2022

Tracked Since Feb 18, 2026