Skip to Main Content
  • Blogs
  • Feedback
  • Help
  • Meet
  • Chat
  • Discuss
  • Download
  • Learn
  • Log In

Known Vulnerabilities

  • Security Overview
  • Reporting Security Issues
  • Known Vulnerabilities
  • Hall of Fame

Releases

  • Liferay Portal 7.4 U132
  • Liferay Portal 7.4
  • Liferay Portal 7.3
  • Liferay Portal 7.2
  • Liferay Portal 7.1
  • Liferay Portal 7.0
  • Liferay Portal 6.2 CE
  • Liferay Faces
  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2
  • LIferay DXP 7.1
  • LIferay DXP 7.0
  • Liferay DXP 2025.Q4
  • Liferay DXP 2025.Q3
  • Liferay DXP 2025.Q2
  • Liferay DXP 2025.Q1
  • Liferay DXP 2024.Q4
  • Liferay DXP 2024 Q3
  • Liferay DXP 2024 Q2
  • Liferay DXP 2024 Q1
  • Liferay DXP 2023.Q4
  • Liferay DXP 2023.Q3
RSS

  • CVE-2025-62256 OpenAPI authentication bypass

  • CVE-2025-62254 Very large ComboServlet responses

  • CVE-2025-43825 Sensible user data available to freemarker template

  • CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

  • CVE-2025-43814 Password reminder answers recorded in audit events

  • CVE-2025-43806 Unauthorized access to exported data from batch engine

  • CVE-2025-43809 CSRF vulnerability with server (license) registration

  • CVE-2025-43801 DoS via unchecked input for loop condition in XML-RPC

  • CVE-2025-43804 Reflected XSS in Search widget

  • CVE-2025-43805 Display Page Templates visible to unauthorized users

  • CVE-2025-43791 XSS with Rich Text fields in Data Engine

  • CVE-2025-43792 Staging site data exfiltration

  • CVE-2025-43793 Supercookie

  • CVE-2025-43794 XSS with CDN host name

  • CVE-2025-43797 Insecure default site membership type

  • CVE-2025-43798 Time-based One-Time Password (TOTP) reuse

  • CVE-2025-43800 XSS with rich text type fields in objects

  • CVE-2025-43796 GraphQL does not limit page size

  • CVE-2025-62249 Reflected XSS in google_widget

  • CVE-2025-62250 Portal fails to verify messages from the cluster network is trusted

  • CVE-2025-43781 Reflected XSS in search bar portlet

  • CVE-2025-43767 Open redirect in /c/portal/edit_info_item parameter redirect

  • CVE-2025-43766 Unrestricted upload of file in the style books component

  • CVE-2025-43751 User enumeration using create account

  • CVE-2025-2565 Exposure of data through form entry to unauthorized users

  • CVE-2025-2536 DOM based XSS at /o/layout-taglib/__liferay__/index.js

  • CVE-2025-3760 Stored XSS with radio button type custom fields

  • CVE-2025-43799 Change password requirement bypass

  • CVE-2025-43824 HTTP response injection/splitting vulnerability with vCard

  • CVE-2025-43803 IDOR vulnerable in Contacts Center

  • CVE-2025-43830 XSS when viewing form entries with rich text fields

  • CVE-2025-43771 XSS with flagged content notifications

  • CVE-2025-43807 XSS with publication invitation notifications

  • CVE-2025-62244 Edit publication page IDOR

  • CVE-2025-62245 CSRF vulnerability with publication comments

  • CVE-2025-43810 Adding a note to an order from another virtual instance

  • CVE-2025-62241 Access to shipment address in another instance

  • CVE-2025-43827 IDOR audit events

  • CVE-2025-43826 Stored XSS with web content translation

  • CVE-2025-62246 Stored XSS with mentions in comments

  • CVE-2025-62251 The Menu Display Widget shows content to users without permission to view it

  • CVE-2025-62252 Assign user from another instance to an organization

  • CVE-2025-43812 Stored XSS with structure name in template

  • CVE-2025-43808 Unauthorized access the virtual products

  • CVE-2025-43813 Possible path traversal and DoS with Combo Servlet

  • CVE-2025-43817 Reflected XSS with redirect parameter in Announcements and Alerts

  • CVE-2025-3586 Instance Admin can execute code using Objects Actions and Validations

  • CVE-2025-43748 Insufficient CSRF protection for omni-administrator actions

  • CVE-2025-43802 XSS with `externalReferenceCode` in Objects

  • CVE-2025-62242 Access to another account's address

  • CVE-2025-62243 Multiple vulnerabilities related to publication comments

  • CVE-2025-62237 XSS with account name in orders

  • CVE-2025-62238 XSS with account name in account settings

  • CVE-2025-62239 XSS with workflow process builder

  • CVE-2025-43829 Stored XSS with SVG files in diagram type products

  • CVE-2025-43821 Stored XSS with product name in Commerce Product Comparison Table

  • CVE-2025-43822 Stored XSS with Term name on view order page

  • CVE-2025-43823 Stored XSS with product name in Commerce Search Result

  • CVE-2025-43811 XSS vulnerability with user name when selecting a related asset

  • CVE-2025-62240 XSS with user name in calendar event

  • CVE-2025-43820 Stored XSS with user name

  • CVE-2025-43818 Stored XSS with Calendar name

  • CVE-2024-26271 CSRF bypass related to `backURL` in My Account

  • CVE-2024-26273 CSRF bypass related to `redirect` in Commerce Catalogs

  • CVE-2024-26272 CSRF bypass related to `p_l_back_url` in content page editor

  • CVE-2025-43815 Reflected XSS with `backURLTitle` in page administration

  • CVE-2024-38002 Regular users can edit workflow definition

Community
Company
Feedback
Blogs
Discuss
Meet
Open Source
Download
Events
Learn
Careers
Contact Us
Feedback
Help
Copyright © 2025 Liferay, Inc

Powered by Liferay™

Legal

Compliance

Privacy Policy

This Website Uses Cookies

This website uses cookies and similar tools, some of which are provided by third parties (together “tools”). These tools enable us and the third parties to access and record certain user-related and activity data and to track your interactions with this website. These tools and the informationcollected are used to operate and secure this website, enhance performance, enable certain website features and functionality, analyze and improve website performance, and personalize user experience.

If you click “Accept All”, you allow the deployment of all these tools and collection of the information by us and the third parties for all these purposes.

If you click “Decline All” your IP address and other information may still be collected but only by tools (including third party tools) that are necessary to operate, secure and enable default website features and functionalities. Review and change your preferences by clicking the “Configurations” at any time.

Visit our Privacy Policy