CVE-2025-43774 is a False Positive

Description

[Update 2025-09-18]: This vulnerability is now considered a false positive and has been officially rejected. The CVE record for CVE-2025-43774 has been updated to REJECTED status. The issue was found to be present only in a feature that was under development and protected by a beta feature flag, making it not exploitable in official product releases.

A reflected cross-site scripting (XSS) vulnerability in the Liferay DXP allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.

Severity

N/A (N/A)

Affected Version(s)

  • N/A

Fixed Version(s)

  • N/A

Publication date: Mon, 08 Sep 2025 12:23:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.