CVE-2025-14340

Summary

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Affected Software

VendorProductVersion RangeStatus
Payara PlatformPayara Server4.1.153.1 <= 4.1.2.191.53affected
Payara PlatformPayara Server5.20.0 <= 5.82.0affected
Payara PlatformPayara Server6.0.0 <= 6.33.0affected
Payara PlatformPayara Server7.2024.1.Alpha1 <= 7.2025.2affected
Payara PlatformPayara Server6.2022.1 <= 6.2025.11affected
Payara PlatformPayara Server5.2020.2 <= 5.2022.5affected
Payara PlatformPayara Server5.181 <= 5.201.2affected
Payara PlatformPayara Server4.1.2.191.54unaffected
Payara PlatformPayara Server5.83.0unaffected
Payara PlatformPayara Server6.34.0unaffected
Payara PlatformPayara Server7.2026.1unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References