Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

  • CVE-2025-62256 OpenAPI authentication bypass

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-43801 DoS via unchecked input for loop condition in XML-RPC

  • CVE-2025-43805 Display Page Templates visible to unauthorized users

  • CVE-2025-43791 XSS with Rich Text fields in Data Engine

  • CVE-2025-43794 XSS with CDN host name

  • CVE-2025-43798 Time-based One-Time Password (TOTP) reuse

  • CVE-2025-43796 GraphQL does not limit page size

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2024-11993 Reflected XSS in Dispatch Name field

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-43824 HTTP response injection/splitting vulnerability with vCard

  • CVE-2025-43803 IDOR vulnerable in Contacts Center

  • CVE-2025-43830 XSS when viewing form entries with rich text fields

  • CVE-2025-62244 Edit publication page IDOR

  • CVE-2025-43827 IDOR audit events

  • CVE-2025-43826 Stored XSS with web content translation

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-62251 The Menu Display Widget shows content to users without permission to view it

  • CVE-2025-62252 Assign user from another instance to an organization

  • CVE-2025-43808 Unauthorized access the virtual products

  • CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

  • CVE-2023-37940 XSS with "Service Class" in Service Access Policy

  • CVE-2025-3602 GraphQL queries does not limit depth

  • CVE-2025-43813 Possible path traversal and DoS with Combo Servlet

  • CVE-2025-3526 DoS vulnerability with SessionClicks

  • CVE-2025-3594 DoS vulnerability with SessionClicks

  • CVE-2025-43772 DoS vulnerability in Kaleo Forms Admin

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2024-8980 Mitigate against simple XSS attacks against script console

  • CVE-2025-43802 XSS with `externalReferenceCode` in Objects

  • CVE-2025-43829 Stored XSS with SVG files in diagram type products

  • CVE-2025-62240 XSS with user name in calendar event

  • CVE-2025-43820 Stored XSS with user name

  • CVE-2025-43818 Stored XSS with Calendar name

  • CVE-2024-26271 CSRF bypass related to `backURL` in My Account

  • CVE-2024-26273 CSRF bypass related to `redirect` in Commerce Catalogs

  • CVE-2024-26272 CSRF bypass related to `p_l_back_url` in content page editor

  • CVE-2024-38002 Regular users can edit workflow definition

  • CVE-2024-25151 Possible XSS & content spoofing in notifications emails

  • CVE-2024-26266 Stored XSS with user name in Announcements & Alerts

  • CVE-2024-26269 XSS with anchor/hash part of a URL in portlet.js

  • CVE-2023-42496 XSS with `tabs2` in role assignment

  • CVE-2024-25603 Stored XSS with instanceId in DDMForm

  • CVE-2024-25152 Stored XSS with message board file attachment

  • CVE-2024-25601 Stored XSS with geolocation custom fields

  • CVE-2024-25602 Stored XSS with organization name in edit user

  • CVE-2024-25147 HtmlUtil.escapeJSLink circumvention

  • CVE-2024-26268 User enumeration vulnerability by comparing login response time

  • CVE-2024-26267 Insecure default for the property `http.header.version.verbosity`

  • CVE-2024-26265 File system flooding through the Image Uploader

  • CVE-2024-25610 Stored XSS with Blog entries (Insecure defaults)

  • CVE-2024-25609 HtmlUtil.escapeRedirect circumvention with two forward slash

  • CVE-2024-25608 Open redirect vulnerability using Replacement Character

  • CVE-2024-25607 Default password hashing algorithm do not provide sufficient protection

  • CVE-2024-25606 XXE vulnerability in Java2WsddTask._format

  • CVE-2024-25605 Unauthorized access to Web Content templates

  • CVE-2024-25604 User can access and edit their own permissions

  • CVE-2024-25150 User full name disclosure in page title

  • CVE-2024-25149 Users without parent site membership can be registered on child sites

  • CVE-2022-45320 Wiki page privilege escalation

  • CVE-2024-25148 'doAsUserId' value may get leaked when using WYSIWYG editor to create content

  • CVE-2024-25146 Unauthorized users can discover if a site exist

  • CVE-2024-25145 Stored XSS with search results if highlighting is disabled

  • CVE-2024-25144 DoS via a self-referencing IFrame

  • CVE-2024-25143 DoS vulnerabilities via crafted PNG image

  • CVE-2021-29050 CSRF vulnerability in Terms of Use page

  • CVE-2021-29038 Password reminder answers are not obfuscated

  • CVE-2023-44310 XSS with page name in Page Tree

  • CVE-2023-42628 XSS with child wiki pages

  • CVE-2023-42627 Multiple stored XSS with shipping & billing address

  • CVE-2023-33938 Stored XSS with object name in App Builder

  • CVE-2023-33939 Stored XSS in Modified Facet

  • CVE-2023-33944 XSS with container layout fragment URL

  • CVE-2023-33945 SQL injection in SQL Server upgrades

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy