Known Vulnerabilities

Missing Authorization in Collection Provider component in the Liferay Portal and Liferay DXP allows instance users to read and select unauthorized Blueprints through the Collection Providers across...

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal and Liferay DXP allows a remote, authenticated attacker to inject and...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. Liferay Portal...

Liferay DXP 2024.Q4.6 Liferay DXP 2024.Q1.13 Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.5 A vulnerability in Liferay Portal and Liferay DXP allows sensitive user data to be included in the...

Liferay Portal 7.4.3.132 Liferay DXP 2025.Q1.0 Liferay DXP 2024.Q1.13 Liferay DXP 2024.Q4.4 Liferay Portal 7.4.3.121 through 7.3.3.131 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP 2024.Q2.0...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious...

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor...

Improper Access Control vulnerability in Liferay Portal and Liferay DXP allows guest users to obtain object entries information via the API Builder. Liferay Portal 7.4.3.125 Liferay DXP 2024.Q1.13...

Liferay Portal 7.4.3.45 through 7.4.3.125 Liferay DXP 7.4 U45 through U92 Liferay DXP 2024.Q1.1 through 2024.Q1.12 Liferay DXP 2024.Q2.0 through 2024.Q2.9 Liferay Portal 7.4.3.129 Liferay Portal...

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 7.4 GA through U92 Liferay DXP 2024.Q1.1 through DXP 2024.Q1.19 Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13 Liferay DXP 2024.Q3.0 through DXP...

Liferay DXP 2025.Q1.17 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q2.10 Liferay Portal and Liferay DXP exposes "Internal Server Error" in the response body when a login attempt is made with a deleted...

Liferay DXP 2025.Q1.17 Liferay Portal fixed on master branch Liferay DXP 2025.Q1.17 Liferay DXP 2025.Q2.12 Liferay DXP 2024.Q1.21 Liferay DXP 2024.Q1.21 Liferay DXP 2025.Q2.12 Liferay Portal...

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the...

Liferay Portal and Liferay DXP has a security vulnerability that allowing for improper access through the expandoTableLocalService. Liferay Portal fixed on master branch Liferay DXP 2025.Q2.1...

Liferay Portal and Liferay DXP allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. Liferay Portal...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.6 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.21 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.5 Liferay DXP...

Liferay DXP 2025.Q2.9 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.9 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q1.16 This issue was reported...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.8 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.7 Liferay DXP...

Liferay DXP 2025.Q2.3 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.3 Liferay DXP 2025.Q1.15 Liferay DXP 2024.Q1.19 Liferay DXP 2024.Q1.19 Liferay DXP 2025.Q1.15 This issue was reported...