CVE-2025-14340
HIGH NUCLEIPayara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 - Cross-Site Scripting via REST Management Interface
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2025-14340. PoCs published by DeepSecurityResearch. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2025-14340, demonstrating an XSS vulnerability in Payara's Administration Rest Interface that can lead to admin account takeover by exploiting lack of CSRF protection and password change endpoint weaknesses.
Description
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.
Exploits (1)
This repository contains a functional proof-of-concept for CVE-2025-14340, demonstrating an XSS vulnerability in Payara's Administration Rest Interface that can lead to admin account takeover by exploiting lack of CSRF protection and password change endpoint weaknesses.
Nuclei Templates (1)
http.title:"Payara Server" port:4848
title="Payara Server" && port="4848"
References (1)
Scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red