In Liferay Portal versions 7.4.3.50 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.7, and 7.4 Update 50 through Update 92 a medium severity vulnerability CVE-2025-43811 was detected. This stored cross-site scripting vulnerability in the related asset selector allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload placed in an asset author’s First Name, Middle Name, or Last Name fields. To address this issue, users should upgrade Liferay Portal to version7.4.3.112 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43811.
Read more CMSIn Liferay Portal versions 7.4.3.35 through 7.4.3.110 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 Update 35 through Update 92, and 7.3 Update 25 through Update 36 a medium severity vulnerability CVE-2025-43820 was detected. This issue affects the Calendar widget, where crafted payloads injected into a user’s First Name, Middle Name, or Last Name fields can allow attackers to insert arbitrary script or HTML when users are invited to an event. To address this vulnerability, users should upgrade Liferay Portal to versions 7.4.3.111 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43820.
Read more CMSIn Liferay Portal versions 7.4.3.74 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.8, and 7.4 Update 74 through Update 92 a medium severity vulnerability CVE-2025-43817 was detected. This issue consists of multiple reflected script injection vulnerabilities, where remote attackers can inject arbitrary script or HTML through the redirect parameter in Announcements or Alerts. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to versions 2023.Q3.9, 2023.Q4.7, 2024.Q1.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43817.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.107, 7.3.0 through 7.3.7, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through Update 92, 7.3 GA through Update 35, and older unsupported releases a medium severity vulnerability CVE-2025-43813 was detected. This path traversal and denial-of-service issue in the ComboServlet allows remote attackers to access arbitrary CSS and JavaScript files and to repeatedly load them via crafted query strings, potentially causing resource exhaustion. To address this vulnerability, users should upgrade Liferay Portal to versions 7.4.3.108 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.5, 2023.Q3.9, 7.3 U36 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43813.
Read more CMSIn Liferay Portal versions 7.2.0 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4, and older unsupported versions a medium severity vulnerability CVE-2025-43814 was detected. This issue occurs because audit events record a user’s password reminder answer, which can allow remote authenticated users to obtain this sensitive information through the audit logs. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43814.
Read more CMSIn Liferay Portal versions 7.4.3.102 through 7.4.3.110 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 and 2023.Q3.5 a medium severity vulnerability CVE-2025-43815 was detected. This reflected cross-site scripting (XSS) vulnerability occurs on the page configuration page, where the com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURLTitle parameter can be exploited by remote attackers to inject arbitrary web script or HTML. To address this issue, users should upgrade Liferay Portal to version 7.4.3.111 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43815.
Read more CMSIn Liferay Portal versions 7.2.0 through 7.4.3.117 and Liferay DXP versions 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4, 7.3, and older unsupported versions a medium severity vulnerability CVE-2025-43827 was detected. This insecure direct object reference vulnerability allows an authenticated user from one virtual instance to view audit events from a different virtual instance via the _com_liferay_portal_security_audit_web_portlet_AuditPortlet_auditEventId parameter. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.118 and Liferay DXP to versions 2024.Q1.6, 2024.Q2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43827.
Read more CMSIn Liferay Portal versions 7.2.0 through 7.4.3.112 and Liferay DXP versions 2024.Q1.1 through 2024.Q1.2, 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4, and older unsupported releases a medium severity vulnerability CVE-2025-43826 was detected. This stored cross-site scripting issue allows remote attackers to inject arbitrary script or HTML via rich text fields in Web Content translation. To address this vulnerability, users should upgrade Liferay Portal to version 7.4.3.113 and Liferay DXP to versions 2024.Q2.0, 2024.Q1.3, 2023.Q4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43826.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.119, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.10, 2023.Q4.0 through 2024.Q4.10, and 2024.Q1.1 through 2024.Q1.5 (including 7.4 GA through update 92 and older unsupported releases) a medium severity vulnerability CVE-2025-43816 was detected. This memory leak in the StructuredContents headless API could allow an attacker to repeatedly call the endpoint and exhaust server memory, leading to denial of service. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.120 or later, and Liferay DXP 2024.Q1.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43816.
Read more CMS