Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-43801 DoS via unchecked input for loop condition in XML-RPC

  • CVE-2025-43805 Display Page Templates visible to unauthorized users

  • CVE-2025-43791 XSS with Rich Text fields in Data Engine

  • CVE-2025-43797 Insecure default site membership type

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2024-11993 Reflected XSS in Dispatch Name field

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-43824 HTTP response injection/splitting vulnerability with vCard

  • CVE-2025-43830 XSS when viewing form entries with rich text fields

  • CVE-2025-62244 Edit publication page IDOR

  • CVE-2025-43827 IDOR audit events

  • CVE-2025-43826 Stored XSS with web content translation

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-62251 The Menu Display Widget shows content to users without permission to view it

  • CVE-2025-62252 Assign user from another instance to an organization

  • CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3602 GraphQL queries does not limit depth

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2025-43829 Stored XSS with SVG files in diagram type products

  • CVE-2024-26272 CSRF bypass related to `p_l_back_url` in content page editor

  • CVE-2024-38002 Regular users can edit workflow definition

  • CVE-2024-25151 Possible XSS & content spoofing in notifications emails

  • CVE-2024-26266 Stored XSS with user name in Announcements & Alerts

  • CVE-2024-26269 XSS with anchor/hash part of a URL in portlet.js

  • CVE-2023-42496 XSS with `tabs2` in role assignment

  • CVE-2024-25603 Stored XSS with instanceId in DDMForm

  • CVE-2024-25152 Stored XSS with message board file attachment

  • CVE-2024-25601 Stored XSS with geolocation custom fields

  • CVE-2024-25602 Stored XSS with organization name in edit user

  • CVE-2024-25147 HtmlUtil.escapeJSLink circumvention

  • CVE-2024-26268 User enumeration vulnerability by comparing login response time

  • CVE-2024-26267 Insecure default for the property `http.header.version.verbosity`

  • CVE-2024-26265 File system flooding through the Image Uploader

  • CVE-2024-25610 Stored XSS with Blog entries (Insecure defaults)

  • CVE-2024-25609 HtmlUtil.escapeRedirect circumvention with two forward slash

  • CVE-2024-25608 Open redirect vulnerability using Replacement Character

  • CVE-2024-25607 Default password hashing algorithm do not provide sufficient protection

  • CVE-2024-25606 XXE vulnerability in Java2WsddTask._format

  • CVE-2024-25605 Unauthorized access to Web Content templates

  • CVE-2024-25604 User can access and edit their own permissions

  • CVE-2024-25150 User full name disclosure in page title

  • CVE-2024-25149 Users without parent site membership can be registered on child sites

  • CVE-2022-45320 Wiki page privilege escalation

  • CVE-2024-25148 'doAsUserId' value may get leaked when using WYSIWYG editor to create content

  • CVE-2024-25146 Unauthorized users can discover if a site exist

  • CVE-2024-25145 Stored XSS with search results if highlighting is disabled

  • CVE-2024-25144 DoS via a self-referencing IFrame

  • CVE-2024-25143 DoS vulnerabilities via crafted PNG image

  • CVE-2021-29050 CSRF vulnerability in Terms of Use page

  • CVE-2021-29038 Password reminder answers are not obfuscated

  • CVE-2023-47798 Account lockout does not invalidate user sessions

  • CVE-2023-44310 XSS with page name in Page Tree

  • CVE-2023-42628 XSS with child wiki pages

  • CVE-2023-42627 Multiple stored XSS with shipping & billing address

  • CVE-2023-33937 Stored XSS with form name in form configuration

  • CVE-2023-33938 Stored XSS with object name in App Builder

  • CVE-2023-33939 Stored XSS in Modified Facet

  • CVE-2023-33944 XSS with container layout fragment URL

  • CVE-2023-33945 SQL injection in SQL Server upgrades

  • CVE-2023-33949 Users do not have to verify their email address by default

  • CVE-2022-42132 LDAP credentials exposed in URL

  • CVE-2022-42131 DDMRESTDataProvider vulnerable to man-in-the-middle attack

  • CVE-2022-42130 Unauthorized access to form entries via API

  • CVE-2022-42129 Insecure direct object reference vulnerability with Form entries

  • CVE-2022-42126 User permissions are not checked for DepotGroupItemSelectorProvider

  • CVE-2022-42124 ReDoS vulnerability in upgrade of layout prototype name

  • CVE-2022-42123 Zip Slip vulnerability in Elasticsearch Connector

  • CVE-2022-42122 SQL injection in friendly URL upgrade

  • CVE-2022-42121 SQL injection vulnerability during page template upgrade

  • CVE-2022-42120 SQL injection vulnerability during fragment upgrade

  • CVE-2022-42119 Stored XSS with ERC in Commerce catalog

  • CVE-2022-42118 Reflected XSS with `tag` in Search

  • CVE-2022-42117 Reflected XSS with `label` attribute in <clay:label>

  • CVE-2022-42116 Reflected XSS with name & namespace parameter in integration with CKEditor

  • CVE-2022-42112 Stored XSS with sort by label in Search Sort widget

  • CVE-2022-42111 Stored XSS with a shared asset name in notification

  • CVE-2022-42110 Stored XSS with announcement/alert type

  • CVE-2022-38901 Stored XSS with categories selector fields

  • CVE-2022-38902 Stored XSS with SVG file description

  • CVE-2022-39975 Unauthorized access to "Content Page" previews

  • CST-2022-01 Insecure defaults: auth.login.prompt.enabled

  • CVE-2022-26593 Stored XSS with category name in asset categories selector

  • CVE-2022-26594 XSS vulnerability with form field help text

  • CVE-2022-26595 Unauthorized access to site/group list

  • CVE-2022-26597 Stored XSS with site name in Open Graph integration

  • CVE-2022-28977 HtmlUtil.escapeRedirect circumvention with multiple forward slash

  • CVE-2022-28978 Stored XSS with user name in site membership

  • CVE-2022-28979 XSS in Custom Facet widget

  • CVE-2022-28982 Reflected XSS with tag name in <liferay-asset:asset-tags-selector>

  • CVE-2021-38263 Reflected XSS with Script page

  • CVE-2021-38265 Stored XSS with Collection name

  • CVE-2021-38267 Stored XSS with title and subtitle of blog entry

  • CVE-2021-38268 Site member can add new forms by default

  • CVE-2021-38269 Stored XSS with Gogo Shell output

  • CVE-2021-29053 SQL/HQL Injection in Commerce Address Web & Commerce Product Service

  • CVE-2021-29039 Stored XSS with Site name in Categories

  • CVE-2021-29040 Overly verbose JSON web services errors

  • CVE-2021-29043 S3 store's proxy password visible in System Settings

  • CVE-2021-29044 Stored XSS with membership request comment

  • CVE-2021-29045 Stored XSS with Destination URL of Redirection

  • CVE-2021-29046 Stored XSS with category name

  • CVE-2021-29047 SimpleCaptcha answer reuse

  • CVE-2021-29048 Stored XSS with Site Page name

  • CVE-2021-29051 Reflected XSS with 'assetEntryId' in Asset Publisher

  • CVE-2021-29052 Unauthorized users can view DDMStructures

  • CVE-2021-33320 Flagging content as inappropriate is not rate limited

  • CVE-2021-33321 Insecure default configuration allows for user enumeration using forgot password

  • CVE-2021-33322 Password change does not invalidate password reset tokens

  • CVE-2021-33323 Unauthenticated form drafts are visible to everybody

  • CVE-2021-33324 Unauthorized users can view a site's pages via page administration

  • CVE-2021-33325 User's unencrypted passwords stored in database

  • CVE-2021-33326 XSS with the title of a modal window

  • CVE-2021-33327 Unauthorized users can view the Guest and User roles

  • CVE-2021-33328 Stored XSS with Web Content Structure names and Document Types names in Categories Admin

  • CVE-2021-33330 CORS should not work with Portal Session authentication

  • CVE-2021-33331 Open redirect vulnerability in notifications

  • CVE-2021-33332 Reflected XSS with portletId in Look and Feel Configuration

  • CVE-2021-33333 Unauthorized users can view and delete workflow submissions

  • CVE-2021-33334 Unauthorized users can view forms and form entries

  • CVE-2021-33335 Non-company admins can edit company admins

  • CVE-2021-33336 Stored XSS with Structure name

  • CVE-2021-33337 Stored XSS with Document Types in Documents and Media

  • CVE-2021-33338 Adding pages exposes CSRF token

  • CVE-2021-33339 Stored XSS with Site name in Fragment portlet

  • CVE-2022-26596 Stored XSS with Template name

  • CST-7307 Unauthorized users can delete a staging publishing process

  • CST-7308 'portlet.resource.id.banned.paths.regexp' bypass with doubled encoded URLs

  • CST-7309 User enumeration via forget password

  • CST-7310 Reflected XSS in Page Fragments' edit page

  • CST-7311 Blog cover image extension circumvention

  • CST-7312 Libraries with known vulnerabilities in 7.2.1 and 7.3.2

  • CST-7313 Stored XSS with user name in workflow definition editor

  • CST-7314 Viewing Calendar widget prevents Instance Settings from saving

  • CST-7315 Unauthorized access to staged public pages's sitemap.xml

  • CST-7316 Reflected XSS with 'openId' in Login module

  • CST-7317 DoS vulnerability with multipart/form-data requests

  • CST-7318 Database DoS in URL Redirections Management

  • CST-7301 DDMDataProvider API leaks REST data provider password

  • CST-7302 Remote code execution with FreeMarker/Velocity templates

  • CST-7303 Circumvention of open redirect prevention using tabs

  • CST-7304 Stored XSS with user name in workflow assignments

  • CST-7305 Libraries with known vulnerabilities in 7.3.0 and 7.3.1

  • CST-7306 Unauthorized users can view a site's user groups

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy