Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-43825 Sensible user data available to freemarker template

  • CVE-2025-43819 User session is not killed by SLO API

  • CVE-2025-43787 Stored XSS via organization site names

  • CVE-2025-43783 Reflected XSS on the "/c/portal/comment/discussion/get_editor" path

  • CVE-2025-43776 The Process Builder's Configuration tab fails to properly escape stored JavaScript code

  • CVE-2025-43777 Internal server error message in the response body

  • CVE-2025-43778 Stored XSS on the name of a fieldset

  • CVE-2025-43763 SSRF in custom objects attachment fields

  • CVE-2025-43773 Missing permission checks in expandoTableLocalService

  • CVE-2025-43744 Stored DOM-Based XSS in the Asset Publisher configuration UI

  • CVE-2025-43740 Stored XSS in message boards feature

  • CVE-2025-43738 Reflected XSS via ExpandoPortlet displayType parameter

  • CVE-2025-43745 CSRF vulnerability in 'endpoint' parameter

  • CVE-2025-43746 Reflected XSS in Dynamic Data Mapping portletNamespace and Portlet_namespace parameter

  • CVE-2025-43757 Reflected XSS in Dynamic Data Mapping DDMPortlet_definition parameter

  • CVE-2025-43760 Reflected XSS in back button for My Sites Portlet

  • CVE-2025-43752 Temp file upload in attachment field object entry is not cleaned up

  • CVE-2025-43755 Stored XSS via GroupPagesPortlet_type parameter

  • CVE-2025-43734 Reflected XSS in Clay Button taglib

  • CVE-2025-4604 CAPTCHA Bypass for Gogo Shell

  • CVE-2025-3639 Sign in via GET method when MFA enabled

  • CVE-2025-43732 IDOR in groupID parameter

  • CVE-2025-62247 Blueprint Collection Providers are exposed for reading and selection by other unauthorized instances

  • CVE-2025-62248 Regression of the Reflected XSS in DDMPortlet_definition parameter

  • CVE-2025-62249 Reflected XSS in google_widget

  • CVE-2025-4388 Reflected XSS in marketplace-app-manager-web

  • CVE-2025-43736 Liferay allows more than 300kb profile picture into the user profile

  • CVE-2025-43753 Reflected XSS in Embedded Message field from the form container

  • CVE-2025-43731 Reflected XSS in Message Board Threads and Categories

  • CVE-2025-43739 Observable discrepancy in calendar portlet

  • CVE-2025-43781 Reflected XSS in search bar portlet

  • CVE-2025-4655 SSRF in FreeMarker templates

  • CVE-2025-43758 Unauthenticated users can access loaded files via URL before submitting the object entry

  • CVE-2025-43743 User enumeration in calendar portlet

  • CVE-2025-4576 Reflected XSS in blogs-web

  • CVE-2025-4581 Blind SSRF in portal-settings-authentication-opensso-web

  • CVE-2025-43742 Reflected XSS in friendly urls with display page template

  • CVE-2025-43741 Reflected XSS in assetTagNames parameter

  • CVE-2025-43768 JSONWS API endpoint shares sensitive information

  • CVE-2025-43767 Open redirect in /c/portal/edit_info_item parameter redirect

  • CVE-2025-43766 Unrestricted upload of file in the style books component

  • CVE-2025-43765 Stored cross-site scripting in text field of the web content structure

  • CVE-2025-43764 ReDoS with Role Name search in KaleoDesignerPortlet

  • CVE-2025-43754 Username enumeration vulnerability when updating user old password encryption

  • CVE-2025-43770 Reflected XSS with the referer and forward parameter

  • CVE-2025-43751 User enumeration using create account

  • CVE-2025-43735 Reflected XSS in google_widget

  • CVE-2025-43761 Reflected XSS in CKeditor 4.21.0 endpoint

  • CVE-2025-4599 Cross-Site Scripting (XSS) Vulnerability in Fragment Preview Functionality

  • CVE-2025-43759 Users are able to add system admin portlets to pages

  • CVE-2025-43749 Unauthenticated users can access loaded files via URL before submitting the form

  • CVE-2025-43762 Users can upload an unlimited amount of files

  • CVE-2025-43750 Liferay form upload field allows to obfuscate file extensions

  • CVE-2025-2565 Exposure of data through form entry to unauthorized users

  • CVE-2025-2536 DOM based XSS at /o/layout-taglib/__liferay__/index.js

  • CVE-2025-43786 Enumeration of ERC from Object Entry by time response

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2025-43769 Stored XSS in Components portlet

  • CVE-2025-43775 Stored XSS in remote apps component

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy