Liferay

Known Exploited Liferay Vulnerabilities

The following Liferay vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2020-7961: Liferay Portal prior to 7.2.1 CE GA2 Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2025 there have been 91 vulnerabilities in Liferay. Last year, in 2024 Liferay had 43 security vulnerabilities published. That is, 48 more vulnerabilities have already been reported in 2025 as compared to last year.

Recent Liferay Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-62275	Nov 01, 2025	Liferay 7.4/DPX Blog Image Permissions Bypass: Remote View Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.	Portal Digital Experience Platform
CVE-2025-62276	Oct 31, 2025	Liferay 7.4.x / DXP 2023 Q4: CacheControl Header Flaw Enables Local Disclosure The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the browser's cache.	Portal Digital Experience Platform
CVE-2025-62267	Oct 31, 2025	Liferay Portal XSS in Web Content Templates 7.4.3.35-7.4.3.111 Multiple cross-site scripting (XSS) vulnerabilities in web content templates select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a users (1) First Name, (2) Middle Name, or (3) Last Name text field.	Portal Digital Experience Platform
CVE-2025-62264	Oct 31, 2025	Liferay 7.4.3.8111 / DXP 2023 Q4/Q3: Reflected XSS via Lang. Override Portlet Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.	Portal Digital Experience Platform
CVE-2025-62265	Oct 30, 2025	XSS in Liferay Portal 7.4.0-7.4.3.111 Blogs widget: iframe lacks sandbox Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's Content text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.	Portal Digital Experience Platform
CVE-2025-62266	Oct 30, 2025	DNS Rebinding in Liferay Portal 7.4.x <=7.4.3.119 & DXP Q1-2024 By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.	Portal Digital Experience Platform
CVE-2025-62257	Oct 29, 2025	Liferay 7.4.x & DXP 2024.Q1.x Password Enumeration via Brute Force CVE-2025-62257 Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a users password even if account lockout is enabled via brute force attack.	Portal Digital Experience Platform
CVE-2025-62258	Oct 27, 2025	CSRF in Liferay portal Headless API 7.4.0-7.4.3.107, 7.4 GA-92, 7.3 GA-35 CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.	Portal Digital Experience Platform
CVE-2025-62259	Oct 27, 2025	Liferay Portal 7.4.x/APIs Unchecked Email Verify => Remote Edit Access Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.	Portal Digital Experience Platform
CVE-2025-62260	Oct 27, 2025	DoS via Unbounded Return in Liferay 7.4.0-7.4.3.99+ Headless API Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.	Portal Digital Experience Platform