[Update 2025-09-18]: This vulnerability is now considered a false positive and has been officially rejected. The CVE record for CVE-2025-43774 has been updated to REJECTED status. The issue was found to be present only in a feature that was under development and protected by a beta feature flag, making it not exploitable in official product releases.

A reflected cross-site scripting (XSS) vulnerability in the Liferay DXP allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.