Known Vulnerabilities

Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 7.4 GA through U92 Liferay DXP 2024.Q1.1 through DXP 2024.Q1.19 Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13 Liferay DXP 2024.Q3.0 through DXP...

Liferay DXP 2025.Q1.17 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q2.10 Liferay Portal and Liferay DXP exposes "Internal Server Error" in the response body when a login attempt is made with a deleted...

Liferay DXP 2025.Q1.17 Liferay Portal fixed on master branch Liferay DXP 2025.Q1.17 Liferay DXP 2025.Q2.12 Liferay DXP 2024.Q1.21 Liferay DXP 2024.Q1.21 Liferay DXP 2025.Q2.12 Liferay Portal...

N/A [Update 2025-09-18]: This vulnerability is now considered a false positive and has been officially rejected. The CVE record for CVE-2025-43774 has been updated to REJECTED status. The issue...

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the...

Liferay Portal and Liferay DXP has a security vulnerability that allowing for improper access through the expandoTableLocalService. Liferay Portal fixed on master branch Liferay DXP 2025.Q2.1...

A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change...

Liferay Portal and Liferay DXP allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. Liferay Portal...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.6 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.21 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.5 Liferay DXP...

Liferay DXP 2025.Q2.9 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.9 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay DXP 2024.Q1.20 Liferay DXP 2025.Q1.16 This issue was reported...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via...

Liferay Portal fixed on master branch Liferay DXP 2025.Q2.8 Liferay DXP 2025.Q1.16 Liferay DXP 2024.Q1.20 Liferay Portal 7.4.0 through 7.4.3.132 Liferay DXP 2025.Q2.0 through 2025.Q2.7 Liferay DXP...

Liferay Portal 7.4.0 through 7.4.3.112 Liferay DXP 2024.Q1.1 through 2024.Q1.18 Liferay DXP 7.4 GA through U92 Liferay Portal 7.4.3.113 Liferay Portal 7.4.3.113 Liferay DXP 2024.Q1.19 Liferay DXP...

Liferay DXP 2025.Q2.3 Liferay Portal fixed on master branch Liferay DXP 2025.Q2.3 Liferay DXP 2025.Q1.15 Liferay DXP 2024.Q1.19 Liferay DXP 2024.Q1.19 Liferay DXP 2025.Q1.15 This issue was reported...

Liferay DXP 2024.Q1.19 A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated attacker to inject JavaScript code via...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows a remote authenticated user to inject JavaScript code via snippet parameter. Liferay Portal...

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect Liferay...

Liferay Portal and Liferay DXP allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to...

A Stored cross-site scripting vulnerability in the Liferay Portal and Liferay DXP allows an remote authenticated attacker to inject JavaScript into the...