CVE-2025-14340 HIGH

CVE-2025-14340: Admin Account Takeover via malicious URL payload

Vendor Payara Platform
Product Payara Server
Weakness CWE-79 · XSS
Published February 18, 2026
Last update February 19, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:N/R:U/RE:M/U:Red

What the vulnerability does

01Description

Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 19, 2026 Record updated