CVE-2025-14340

HIGH NUCLEI

Payara Server <4.1.2.191.54 - XSS

Title source: llm

Description

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Exploits (1)

nomisec WORKING POC

by DeepSecurityResearch · poc

https://github.com/DeepSecurityResearch/CVE-2025-14340

View Code ZIP pw:eip

Nuclei Templates (1)

Payara Server - Cross-Site Scripting

HIGHVERIFIEDby 0x_Akoko,0xr2r

Shodan: http.title:"Payara Server" port:4848

FOFA: title="Payara Server" && port="4848"

References (1)

[Various Sources] https://docs.payara.fish/enterprise/docs/Security/Security%20Fix%20List.html

Scores

CVSS v4 7.3

EPSS 0.0047

EPSS Percentile 64.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red

Details

CWE

CWE-79

Status published

Products (11)

Payara Platform/Payara Server 4.1.153.1 - 4.1.2.191.53

Payara Platform/Payara Server 4.1.2.191.54

Payara Platform/Payara Server 5.181 - 5.201.2

Payara Platform/Payara Server 5.20.0 - 5.82.0

Payara Platform/Payara Server 5.2020.2 - 5.2022.5

Payara Platform/Payara Server 5.83.0

Payara Platform/Payara Server 6.0.0 - 6.33.0

Payara Platform/Payara Server 6.2022.1 - 6.2025.11

Payara Platform/Payara Server 6.34.0

Payara Platform/Payara Server 7.2024.1.Alpha1 - 7.2025.2

... and 1 more

Published Feb 18, 2026

Tracked Since Feb 18, 2026