Digital Experience Platform Liferay Digital Experience Platform

  1. Vendors
  2. Liferay
  3. Digital Experience Platform

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Liferay Digital Experience Platform.

By the Year

In 2026 there have been 0 vulnerabilities in Liferay Digital Experience Platform. Last year, in 2025 Digital Experience Platform had 80 security vulnerabilities published. Right now, Digital Experience Platform is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 80 0.00
2024 42 6.18
2023 25 5.96
2022 42 6.00
2021 31 5.96
2020 3 7.40

It may take a day or so for new Digital Experience Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Liferay Digital Experience Platform Security Vulnerabilities

Liferay 7.4/DPX Blog Image Permissions Bypass: Remote View
CVE-2025-62275 - November 01, 2025

Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL.

AuthZ

Liferay 7.4.x / DXP 2023 Q4: CacheControl Header Flaw Enables Local Disclosure
CVE-2025-62276 - October 31, 2025

The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control header, which allows local users to obtain access to downloaded files via the browser's cache.

Use of Web Browser Cache Containing Sensitive Information

Liferay Portal XSS in Web Content Templates 7.4.3.35-7.4.3.111
CVE-2025-62267 - October 31, 2025

Multiple cross-site scripting (XSS) vulnerabilities in web content templates select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a users (1) First Name, (2) Middle Name, or (3) Last Name text field.

XSS

Liferay 7.4.3.8111 / DXP 2023 Q4/Q3: Reflected XSS via Lang. Override Portlet
CVE-2025-62264 - October 31, 2025

Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.

XSS

XSS in Liferay Portal 7.4.0-7.4.3.111 Blogs widget: iframe lacks sandbox
CVE-2025-62265 - October 30, 2025

Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's Content text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.

XSS

DNS Rebinding in Liferay Portal 7.4.x <=7.4.3.119 & DXP Q1-2024
CVE-2025-62266 - October 30, 2025

By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.

Open Redirect

Liferay 7.4.x & DXP 2024.Q1.x Password Enumeration via Brute Force CVE-2025-62257
CVE-2025-62257 - October 29, 2025

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a users password even if account lockout is enabled via brute force attack.

Improper Restriction of Excessive Authentication Attempts

CSRF in Liferay portal Headless API 7.4.0-7.4.3.107, 7.4 GA-92, 7.3 GA-35
CVE-2025-62258 - October 27, 2025

CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.

Session Riding

Liferay Portal 7.4.x/APIs Unchecked Email Verify => Remote Edit Access
CVE-2025-62259 - October 27, 2025

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.

AuthZ

DoS via Unbounded Return in Liferay 7.4.0-7.4.3.99+ Headless API
CVE-2025-62260 - October 27, 2025

Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.

Resource Exhaustion

Plain Text PW Reset Token Storage in Liferay Portal <7.4.4
CVE-2025-62261 - October 27, 2025

Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a users password and take over the users account.

Cleartext Storage of Sensitive Information

Info Disclosure via LDAP Import Log Leakage in Liferay Portal 7.4.0-7.4.3.97
CVE-2025-62262 - October 27, 2025

Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows local users to view user email address in the log files.

Insertion of Sensitive Information into Log File

Liferay Portal/DPX XSS via Account Roles Title & Org Name (<2023.Q3.4)
CVE-2025-62263 - October 27, 2025

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Roles Title text field to (1) view account role page, or (2) select account role page. Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Organizations Name text field to (1) view account page, (2) view account organization page, or (3) select account organization page.

XSS

Liferay Portal 7.4.* Open Redirect via GroupPagesPortlet _redirect
CVE-2025-62253 - October 27, 2025

Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter.

Open Redirect

Liferay Portal 7.4 ComboServlet DoS via oversized file combos
CVE-2025-62254 - October 23, 2025

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

Directory traversal

Liferay Portal XSS via Attachment Filename (7.4.07.4.3.101)
CVE-2025-62255 - October 23, 2025

Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

XSS

Liferay Portal 7.4.x OpenAPI YAML File Disclosure via URL
CVE-2025-62256 - October 23, 2025

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers to access the OpenAPI YAML file via a crafted URL.

AuthZ

Liferay Portal 7.4.x Collection Provider Auth Bypass (CVE-2025-62247)
CVE-2025-62247 - October 22, 2025

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

AuthZ

Reflected XSS in Liferay Portal 7.4.0-7.4.3.132 & DXP 2024-2025 via parameter
CVE-2025-62248 - October 22, 2025

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.

XSS

Liferay Portal/Portal DXP XSS via google_gadget 7.4.0-7.4.3.132 & Q3 2025
CVE-2025-62249 - October 21, 2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

XSS

Liferay Portal 7.4.0-7.4.3 Improper Auth via Unauth Cluster Msg
CVE-2025-62250 - October 21, 2025

Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions that will treat it as trusted data via unauthenticated cluster messages.

Origin Validation Error

Liferay 7.37.4.3.119 / 2023.* info leak via MenuWidget (CVE202562251)
CVE-2025-62251 - October 13, 2025

Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 GA though update 36 shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to unauthorized users.

Incorrect Permission Assignment for Critical Resource

Liferay Portal 7.4.0-7.4.3 IDOR via UsersAdminPortlet addUserIds
CVE-2025-62252 - October 13, 2025

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.

Insecure Direct Object Reference / IDOR

Multiple Stored XSS in Liferay Portal 7.4.07.4.3.111 & DXP 2023.Q4.0Q4.5
CVE-2025-62246 - October 13, 2025

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a users first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions.

XSS

Liferay DXP 2023.Q4.x: IDOR in CommerceOrderPortlet Enables Address Disclosure
CVE-2025-62241 - October 13, 2025

Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.

Insecure Direct Object Reference / IDOR

IDOR in Liferay Portal 7.4.3.x & DXP 2023 Qx AccountEntriesAdminPortlet addressId
CVE-2025-62242 - October 13, 2025

Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

Insecure Direct Object Reference / IDOR

IDOR in Liferay Portal 7.4.* Publications allows comment view/edit
CVE-2025-62243 - October 13, 2025

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. Publications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs.

AuthZ

IDOR in Liferay Portal Publications (7.3.17.4.3.111 & 7.4 GA92)
CVE-2025-62244 - October 13, 2025

Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.

Insecure Direct Object Reference / IDOR

CVE-2025-62245: CSRF in Liferay Portal 7.4.1-7.4.3.112 (Publication Comments)
CVE-2025-62245 - October 10, 2025

Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.

Session Riding

Stored XSS in Liferay Portal 7.4.3.8-7.4.3.111 Order View
CVE-2025-62237 - October 10, 2025

Stored cross-site scripting (XSS) vulnerability in Commerces view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Accounts Name text field.

XSS

Liferay Portal/DPX Stored XSS via Account Name (7.4.3.21111, 2023.Q3Q4)
CVE-2025-62238 - October 10, 2025

Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's Name text field.

XSS

XSS in Liferay Workflow Builder 7.4.3.21-111 & DXP 2023.Q3.1-3.8/Q4.0-4.5
CVE-2025-62239 - October 10, 2025

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.

XSS

Liferay Portal 7.4.x DXP XSS via Calendar Event Name Fields
CVE-2025-62240 - October 09, 2025

Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a users (1) First Name, (2) Middle Name or (3) Last Name text field.

XSS

XSS in Liferay Portal 7.4.x Notification widget 7.4.3.102-111 & DXP 2023.Q4.0-5/Q3.1-10
CVE-2025-43771 - October 08, 2025

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a users First Name text field, (2) a users Middle Name text field, (3) a users Last Name text field, (4) the Other Reason text field when flagging content, or (5) the name of the flagged content.

XSS

Liferay Portal 7.4.3x111 & DXP 2023 Q4.x XSS via SVG
CVE-2025-43829 - October 08, 2025

Stored cross-site scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

XSS

Liferay Forms XSS: Remote Script Injection (Portal 7.3+, DXP 2023.Q3-2023.Q4)
CVE-2025-43830 - October 08, 2025

Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field.

XSS

XSS in Commerce Comparison Table Widget Liferay 7.4.x & DXP 2023.Q4/Q3
CVE-2025-43821 - October 08, 2025

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

XSS

Liferay Portal 7.4.x XSS via Payment Terms Name Field 7.4.3.15-111
CVE-2025-43822 - October 07, 2025

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.

XSS

XSS in Liferay Portal 7.4.x Commerce Search Result widget (pre-7.4.3.111)
CVE-2025-43823 - October 07, 2025

Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

XSS

Profile widget vCard extension tampering Liferay Portal 7.4, DXP 2023.Q4
CVE-2025-43824 - October 06, 2025

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a users name in the Content-Disposition header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.

XSS

Liferay Portal 7.4.07.4.3.132 / DXP 20242025 Vulnerability: Freemarker Templating Leak
CVE-2025-43825 - October 03, 2025

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Insertion of Sensitive Information Into Sent Data

Stored XSS in Liferay Portal Web Content translation 7.4.0-7.4.3.112
CVE-2025-43826 - September 30, 2025

Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article.

XSS

IDOR in Liferay 7.4.x/XP 2024.Q1.x allows authenticated audit event viewing
CVE-2025-43827 - September 30, 2025

Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users to from one virtual instance to view the audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter.

Insecure Direct Object Reference / IDOR

Liferay Portal/DPX XSS via redirect param (7.4.3.74-111)
CVE-2025-43817 - September 29, 2025

Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 74 through update 92 allow remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to (1) Announcements, or (2) Alerts.

XSS

Liferay Portal ComboServlet Path Traversal CVE-2025-43813
CVE-2025-43813 - September 29, 2025

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL.

Directory traversal

Liferay Portal XSS in web content template Name field 7.4.3.47.4.3.111
CVE-2025-43812 - September 29, 2025

Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a web content structure's Name text field

XSS

Stored XSS in Liferay Portal asset selector < 7.4.3.111
CVE-2025-43811 - September 29, 2025

Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 update 50 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into an asset authors (1) First Name, (2) Middle Name, or (3) Last Name text field.

XSS

XSS in Liferay Portal 7.4.3.35-7.4.3.110 Calendar Widget: User Name Fields
CVE-2025-43820 - September 29, 2025

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a users (1) First Name, (2) Middle text, or (3) Last Name text fields.

XSS

Liferay Portal XSS via Calendar Widget Name 7.4.3.35-110, DXP 2023.Q4.0-4
CVE-2025-43818 - September 29, 2025

Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Calendar's Name text field

XSS

Liferay Portal 7.4.3.102-110 / DXP 2023.Q4.0-2 XSS via backURLTitle
CVE-2025-43815 - September 29, 2025

Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, and 2023.Q3.5 allows remote attackers to inject arbitrary web script or HTML via the com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURLTitle parameter.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Liferay Digital Experience Platform or by Liferay? Click the Watch button to subscribe.

Liferay
Vendor

Liferay Digital Experience Platform
Product

subscribe