Admin Account Takeover via malicious URL payload_CVE-2025-14340

7.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red

Description

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Basic Information

ID CVE-2025-14340

Source Payara

Published Feb 18, 2026 at 13:39

Affected Product

Vendor Payara Platform

Product Payara Server

Version 4.1.153.1

Affected Versions Payara Platform Payara Server 4.1.153.1
Payara Platform Payara Server 5.20.0
Payara Platform Payara Server 6.0.0
Payara Platform Payara Server 7.2024.1.Alpha1
Payara Platform Payara Server 6.2022.1
Payara Platform Payara Server 5.2020.2
Payara Platform Payara Server 5.181

CWE Classification

CWE-79

References

docs.payara.fish /enterprise/docs/Security/Security%20Fix%20List.html

{
    "lastseen": "",
    "description": "Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0,\u00a0<6.34.0,\u00a0<7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.",
    "published": "2026-02-18T13:39:11.316Z",
    "modified": "2026-02-18T13:39:11.316Z",
    "type": "cve",
    "title": "Admin Account Takeover via malicious URL payload",
    "source": "Payara",
    "references": "https://docs.payara.fish/enterprise/docs/Security/Security%20Fix%20List.html",
    "id": "CVE-2025-14340",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Payara Platform Payara Server 4.1.153.1\nPayara Platform Payara Server 5.20.0\nPayara Platform Payara Server 6.0.0\nPayara Platform Payara Server 7.2024.1.Alpha1\nPayara Platform Payara Server 6.2022.1\nPayara Platform Payara Server 5.2020.2\nPayara Platform Payara Server 5.181",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Payara Server",
    "version": "4.1.153.1",
    "vendor": "Payara Platform",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}