Payara Server
Monthly
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.
A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.
A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.