Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-43825 Sensible user data available to freemarker template

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43819 User session is not killed by SLO API

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43806 Unauthorized access to exported data from batch engine

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-43801 DoS via unchecked input for loop condition in XML-RPC

  • CVE-2025-43804 Reflected XSS in Search widget

  • CVE-2025-43805 Display Page Templates visible to unauthorized users

  • CVE-2025-43791 XSS with Rich Text fields in Data Engine

  • CVE-2025-43792 Staging site data exfiltration

  • CVE-2025-43793 Supercookie

  • CVE-2025-43794 XSS with CDN host name

  • CVE-2025-43797 Insecure default site membership type

  • CVE-2025-43798 Time-based One-Time Password (TOTP) reuse

  • CVE-2025-43800 XSS with rich text type fields in objects

  • CVE-2025-43787 Stored XSS via organization site names

  • CVE-2025-43796 GraphQL does not limit page size

  • CVE-2025-43784 Illegal access to Object Entries information from the API Builder

  • CVE-2025-43785 Stored XSS in Workflow Notifications

  • CVE-2025-43783 Reflected XSS on the "/c/portal/comment/discussion/get_editor" path

  • CVE-2025-43776 The Process Builder's Configuration tab fails to properly escape stored JavaScript code

  • CVE-2025-43777 Internal server error message in the response body

  • CVE-2025-43778 Stored XSS on the name of a fieldset

  • CVE-2025-43774 is a False Positive

  • CVE-2025-43763 SSRF in custom objects attachment fields

  • CVE-2025-43773 Missing permission checks in expandoTableLocalService

  • CVE-2025-43747 SSRF in Analytics Cloud domain validation

  • CVE-2025-43744 Stored DOM-Based XSS in the Asset Publisher configuration UI

  • CVE-2025-43740 Stored XSS in message boards feature

  • CVE-2025-43738 Reflected XSS via ExpandoPortlet displayType parameter

  • CVE-2025-43737 Reflected XSS through JournalPortlet backUrl parameter

  • CVE-2025-43745 CSRF vulnerability in 'endpoint' parameter

  • CVE-2025-43779 Reflected XSS in CPDefinitionsPortlet_productTypeName parameter

  • CVE-2025-43746 Reflected XSS in Dynamic Data Mapping portletNamespace and Portlet_namespace parameter

  • CVE-2025-43757 Reflected XSS in Dynamic Data Mapping DDMPortlet_definition parameter

  • CVE-2025-43756 Reflected XSS in snippet parameter

  • CVE-2025-43760 Reflected XSS in back button for My Sites Portlet

  • CVE-2025-43752 Temp file upload in attachment field object entry is not cleaned up

  • CVE-2025-43755 Stored XSS via GroupPagesPortlet_type parameter

  • CVE-2025-43734 Reflected XSS in Clay Button taglib

  • CVE-2025-4604 CAPTCHA Bypass for Gogo Shell

  • CVE-2025-3639 Sign in via GET method when MFA enabled

  • CVE-2025-43732 IDOR in groupID parameter

  • CVE-2025-62249 Reflected XSS in google_widget

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-4388 Reflected XSS in marketplace-app-manager-web

  • CVE-2025-43736 Liferay allows more than 300kb profile picture into the user profile

  • CVE-2025-43753 Reflected XSS in Embedded Message field from the form container

  • CVE-2025-43733 Reflected XSS with page name in document View Usages

  • CVE-2025-43731 Reflected XSS in Message Board Threads and Categories

  • CVE-2025-43739 Observable discrepancy in calendar portlet

  • CVE-2025-43790 Object entries can be related with entries of other instances

  • CVE-2025-43789 JSON Web Services published to OSGi are registered and invoked directly as classes

  • CVE-2025-43782 Unauthorized access to workflow definition via API

  • CVE-2025-43788 Unauthorized view access to Organization names

  • CVE-2025-43781 Reflected XSS in search bar portlet

  • CVE-2025-4655 SSRF in FreeMarker templates

  • CVE-2025-43758 Unauthenticated users can access loaded files via URL before submitting the object entry

  • CVE-2025-43743 User enumeration in calendar portlet

  • CVE-2025-4576 Reflected XSS in blogs-web

  • CVE-2025-4581 Blind SSRF in portal-settings-authentication-opensso-web

  • CVE-2025-43742 Reflected XSS in friendly urls with display page template

  • CVE-2025-43741 Reflected XSS in assetTagNames parameter

  • CVE-2025-43768 JSONWS API endpoint shares sensitive information

  • CVE-2025-43767 Open redirect in /c/portal/edit_info_item parameter redirect

  • CVE-2025-43766 Unrestricted upload of file in the style books component

  • CVE-2025-43765 Stored cross-site scripting in text field of the web content structure

  • CVE-2025-43764 ReDoS with Role Name search in KaleoDesignerPortlet

  • CVE-2025-43754 Username enumeration vulnerability when updating user old password encryption

  • CVE-2025-43770 Reflected XSS with the referer and forward parameter

  • CVE-2025-43751 User enumeration using create account

  • CVE-2025-43735 Reflected XSS in google_widget

  • CVE-2025-43761 Reflected XSS in CKeditor 4.21.0 endpoint

  • CVE-2025-4599 Cross-Site Scripting (XSS) Vulnerability in Fragment Preview Functionality

  • CVE-2025-43759 Users are able to add system admin portlets to pages

  • CVE-2025-43749 Unauthenticated users can access loaded files via URL before submitting the form

  • CVE-2025-43762 Users can upload an unlimited amount of files

  • CVE-2025-43750 Liferay form upload field allows to obfuscate file extensions

  • CVE-2025-2565 Exposure of data through form entry to unauthorized users

  • CVE-2025-2536 DOM based XSS at /o/layout-taglib/__liferay__/index.js

  • CVE-2025-43786 Enumeration of ERC from Object Entry by time response

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2025-43769 Stored XSS in Components portlet

  • CVE-2025-43775 Stored XSS in remote apps component

  • CVE-2024-11993 Reflected XSS in Dispatch Name field

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-43824 HTTP response injection/splitting vulnerability with vCard

  • CVE-2025-43803 IDOR vulnerable in Contacts Center

  • CVE-2025-43830 XSS when viewing form entries with rich text fields

  • CVE-2025-43771 XSS with flagged content notifications

  • CVE-2025-43807 XSS with publication invitation notifications

  • CVE-2025-62244 Edit publication page IDOR

  • CVE-2025-62245 CSRF vulnerability with publication comments

  • CVE-2025-43810 Adding a note to an order from another virtual instance

  • CVE-2025-62241 Access to shipment address in another instance

  • CVE-2025-43827 IDOR audit events

  • CVE-2025-43826 Stored XSS with web content translation

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-62251 The Menu Display Widget shows content to users without permission to view it

  • CVE-2025-62252 Assign user from another instance to an organization

  • CVE-2025-43812 Stored XSS with structure name in template

  • CVE-2025-43808 Unauthorized access the virtual products

  • CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3602 GraphQL queries does not limit depth

  • CVE-2025-43813 Possible path traversal and DoS with Combo Servlet

  • CVE-2025-43817 Reflected XSS with redirect parameter in Announcements and Alerts

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43772 DoS vulnerability in Kaleo Forms Admin

  • CVE-2025-3586 Instance Admin can execute code using Objects Actions and Validations

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2024-8980 Mitigate against simple XSS attacks against script console

  • CVE-2025-43802 XSS with `externalReferenceCode` in Objects

  • CVE-2025-62242 Access to another account's address

  • CVE-2025-62243 Multiple vulnerabilities related to publication comments

  • CVE-2025-62237 XSS with account name in orders

  • CVE-2025-62238 XSS with account name in account settings

  • CVE-2025-62239 XSS with workflow process builder

  • CVE-2025-43829 Stored XSS with SVG files in diagram type products

  • CVE-2025-43821 Stored XSS with product name in Commerce Product Comparison Table

  • CVE-2025-43822 Stored XSS with Term name on view order page

  • CVE-2025-43823 Stored XSS with product name in Commerce Search Result

  • CVE-2025-43811 XSS vulnerability with user name when selecting a related asset

  • CVE-2025-62240 XSS with user name in calendar event

  • CVE-2025-43820 Stored XSS with user name

  • CVE-2025-43818 Stored XSS with Calendar name

  • CVE-2024-26271 CSRF bypass related to `backURL` in My Account

  • CVE-2024-26273 CSRF bypass related to `redirect` in Commerce Catalogs

  • CVE-2024-26272 CSRF bypass related to `p_l_back_url` in content page editor

  • CVE-2025-43815 Reflected XSS with `backURLTitle` in page administration

  • CVE-2024-38002 Regular users can edit workflow definition

  • CVE-2023-47795 XSS with Document and Media document title

  • CVE-2024-25151 Possible XSS & content spoofing in notifications emails

  • CVE-2023-40191 XSS with with Account "Blocked Email Domains"

  • CVE-2023-42498 XSS with `key` in language override

  • CVE-2024-26266 Stored XSS with user name in Announcements & Alerts

  • CVE-2024-26269 XSS with anchor/hash part of a URL in portlet.js

  • CVE-2023-42496 XSS with `tabs2` in role assignment

  • CVE-2024-25603 Stored XSS with instanceId in DDMForm

  • CVE-2024-25152 Stored XSS with message board file attachment

  • CVE-2024-25601 Stored XSS with geolocation custom fields

  • CVE-2024-25602 Stored XSS with organization name in edit user

  • CVE-2024-25147 HtmlUtil.escapeJSLink circumvention

  • CVE-2024-26270 User's hashed password appears in page's HTML source

  • CVE-2024-26268 User enumeration vulnerability by comparing login response time

  • CVE-2024-26267 Insecure default for the property `http.header.version.verbosity`

  • CVE-2024-26265 File system flooding through the Image Uploader

  • CVE-2024-25610 Stored XSS with Blog entries (Insecure defaults)

  • CVE-2024-25609 HtmlUtil.escapeRedirect circumvention with two forward slash

  • CVE-2024-25608 Open redirect vulnerability using Replacement Character

  • CVE-2024-25607 Default password hashing algorithm do not provide sufficient protection

  • CVE-2024-25606 XXE vulnerability in Java2WsddTask._format

  • CVE-2024-25605 Unauthorized access to Web Content templates

  • CVE-2024-25604 User can access and edit their own permissions

  • CVE-2024-25150 User full name disclosure in page title

  • CVE-2023-44308 Open redirect in adaptive media

  • CVE-2023-5190 Open redirect in Countries Management

  • CVE-2024-25149 Users without parent site membership can be registered on child sites

  • CVE-2022-45320 Wiki page privilege escalation

  • CVE-2024-25148 'doAsUserId' value may get leaked when using WYSIWYG editor to create content

  • CVE-2024-25146 Unauthorized users can discover if a site exist

  • CVE-2024-25145 Stored XSS with search results if highlighting is disabled

  • CVE-2024-25144 DoS via a self-referencing IFrame

  • CVE-2024-25143 DoS vulnerabilities via crafted PNG image

  • CVE-2021-29050 CSRF vulnerability in Terms of Use page

  • CVE-2021-29038 Password reminder answers are not obfuscated

  • CVE-2023-47798 Account lockout does not invalidate user sessions

  • CVE-2023-47797 XSS with `p_l_back_url_title` on edit content page

  • CVE-2023-42497 XSS with `redirect` in export translation

  • CVE-2023-42629 Stored XSS vulnerability with vocabulary description

  • CVE-2023-44309 XSS with fragment components

  • CVE-2023-44310 XSS with page name in Page Tree

  • CVE-2023-44311 Reflected XSS with 'code' and 'error' in OAuth2ProviderApplicationRedirect

  • CVE-2023-42628 XSS with child wiki pages

  • CVE-2023-42627 Multiple stored XSS with shipping & billing address

  • CVE-2023-3426 Unauthorized view access to Organization names

  • CVE-2023-3193 Reflected XSS with backURL in SEO configuration

  • CVE-2023-35029 Open redirect with backURL in SEO configuration

  • CVE-2023-35030 CSRF/RCE with backURL in SEO configuration

  • CVE-2023-33937 Stored XSS with form name in form configuration

  • CVE-2023-33938 Stored XSS with object name in App Builder

  • CVE-2023-33939 Stored XSS in Modified Facet

  • CVE-2023-33940 Stored XSS with IFrame type Remote App URL

  • CVE-2023-33941 Reflected XSS with 'code' and 'error' in OAuth2ProviderApplicationRedirect

  • CVE-2023-33942 Stored XSS with article title in Web Content Display widget

  • CVE-2023-33943 XSS with user name in account

  • CVE-2023-33944 XSS with container layout fragment URL

  • CVE-2023-33945 SQL injection in SQL Server upgrades

  • CVE-2023-33946 Unauthorized access to objects via OAuth 2 scope

  • CVE-2023-33947 Unauthorized access to object definition via search

  • CVE-2023-33948 Unauthorized access to Document and Media files via Forms

  • CVE-2023-33949 Users do not have to verify their email address by default

  • CVE-2023-33950 ReDoS vulnerability with Pattern Redirects

  • CVE-2022-42132 LDAP credentials exposed in URL

  • CVE-2022-42131 DDMRESTDataProvider vulnerable to man-in-the-middle attack

  • CVE-2022-42130 Unauthorized access to form entries via API

  • CVE-2022-42129 Insecure direct object reference vulnerability with Form entries

  • CVE-2022-42128 Unauthorized access to WikiNodeResource.getSiteWikiNodeByExternalReferenceCode

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy