Payara Server allows attackers to change admin password via malicious links

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

Payara Server allows attackers to change admin password via malicious links

CVE-2025-14340

Summary

Payara Server versions before 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 have a security flaw that could let hackers trick administrators into changing their password by clicking on a specially crafted link. This could potentially give the attacker access to the server. To fix the issue, update to a patched version of Payara Server.

Original title

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Pa...

Original description

nvd CVSS4.0 7.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://docs.payara.fish/enterprise/docs/Security/Security%20Fix%20List.html

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026