In Liferay Portal versions 7.2.0 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4, and older unsupported versions a medium severity vulnerability CVE-2025-43814 was detected. This issue occurs because audit events record a user’s password reminder answer, which can allow remote authenticated users to obtain this sensitive information through the audit logs. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43814.
Read more CMS
In Liferay Portal versions 7.2.0 through 7.4.3.117 and Liferay DXP versions 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4, 7.3, and older unsupported versions a medium severity vulnerability CVE-2025-43827 was detected. This insecure direct object reference vulnerability allows an authenticated user from one virtual instance to view audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.118 and Liferay DXP to versions 2024.Q1.6, 2024.Q2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43827.
Read more CMS
In Liferay Portal versions 7.2.0 through 7.4.3.112 and Liferay DXP versions 2024.Q1.1 through 2024.Q1.2, 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4, and older unsupported releases a medium severity vulnerability CVE-2025-43826 was detected. This stored cross-site scripting issue allows remote attackers to inject arbitrary script or HTML via rich text fields in Web Content translation. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.3, 2023.Q4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43826.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.119, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.10, 2023.Q4.0 through 2024.Q4.10, and 2024.Q1.1 through 2024.Q1.5 (including 7.4 GA through update 92 and older unsupported releases) a medium severity vulnerability CVE-2025-43816 was detected. This memory leak in the StructuredContents headless API could allow an attacker to repeatedly call the endpoint and exhaust server memory, leading to denial of service. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.120 or later, and Liferay DXP 2024.Q1.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43816.
Read more CMS
In Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 a medium severity vulnerability CVE-2025-43819 was detected. This vulnerability allows unauthenticated users to reuse old user sessions through the SLO API. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132 or later, and Liferay DXP 2025.Q1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43819.
Read more CMS
In Liferay Portal versions 7.1.0 through 7.4.3.101 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 a low severity vulnerability CVE-2025-43795 was detected. The issue is an open redirect affecting multiple settings pages (System, Instance and Site Settings) where an attacker could redirect users to arbitrary external URLs via the respective _redirect parameters in those portlets. To address this vulnerability, users should upgrade to Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, Liferay DXP 7.3 U36 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43795.
In Liferay Portal versions 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions a medium severity vulnerability CVE-2025-43809 was detected. This vulnerability allows remote attackers to register a server license via the ‘orderUuid’ parameter. To fix this issue, users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.8, or 2023.Q3.9. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43809.
Read more CMS
In Liferay Portal versions 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 a medium severity vulnerability CVE-2025-43808 was detected. The Commerce component saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL. To fix this issue, users should upgrade to Liferay Portal 7.4.3.120, Liferay DXP 2024.Q2.0, 2024.Q1.1, or 2023.Q4.7. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43808.
Read more CMS
In Liferay Portal 7.4.0 through 7.4.3.119 and Liferay DXP 2023.Q3–Q4 versions a medium severity vulnerability CVE-2025-43803 was found. It allows attackers to see contact names and email addresses through the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter. To fix this, upgrade to Liferay Portal 7.4.3.120 or Liferay DXP 2024.Q2.0, 2024.Q1.1, or 2023.Q4.7. For details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43803.