In Liferay Portal versions 7.4.0 through 7.4.3.109, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, and 7.3 GA through update 35 a medium severity vulnerability CVE-2025-62256 was detected. This vulnerability allows remote attackers to bypass OpenAPI access restrictions and retrieve the OpenAPI YAML file through a crafted URL, potentially exposing sensitive API structure and endpoint information. To address this issue, users should update to Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, 2023.Q4.6, 2023.Q3.8, or 7.3 update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62256.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.101 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and older unsupported versions a low severity vulnerability CVE-2025-62255 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename on the Knowledge Base article edit page, potentially enabling self-XSS when the affected page is rendered in the victim’s browser. To address this issue, users should update to Liferay Portal 7.4.3.102, Liferay DXP 2023.Q3.6, or 7.3 update 35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62255.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35 and older unsupported versions a medium severity vulnerability CVE-2025-62254 was detected. This vulnerability allows remote attackers to trigger a denial of service by sending crafted requests that cause the ComboServlet to combine an excessive number or size of files, leading to very large responses and resource exhaustion. To address this issue, users should update to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, or 7.3 update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62254.
Read more CMSIn Vault Community Edition versions 1.20.3 to 1.20.4, and in Vault Enterprise versions 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26 a high severity vulnerability CVE-2025-12044 was detected. This vulnerability allows unauthenticated attackers to trigger a denial of service by sending specially crafted JSON payloads that bypass rate limits due to a regression from a previous fix. To address this issue, users should update to Vault Community Edition 1.21.0 or Vault Enterprise 1.16.27, 1.18.16, 1.19.11, 1.20.5, or 1.21.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12044.
Read more SecurityIn Liferay Portal versions 7.4.0 through 7.4.3.111, and Liferay DXP 7.4 GA through update 92, 2023.Q3.1 through 2023.Q3.8, and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43821 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload in a Commerce Product’s Name text field. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 2024.Q1.1, 2023.Q3.9, or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43821.
Read more CMSIn Liferay Portal versions 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q3.1 through 2023.Q3.10 and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-43771 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted payloads in the Notifications widget, including user name fields, flagging “Other Reason” text field, or flagged content name. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 2024.Q1.1 or 2023.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43771.
Read more CMSIn Liferay Portal versions 7.4.3.35 through 7.4.3.111, 7.4 update 35 through update 92, and 7.3 update 25 through update 36, and Liferay DXP 2023.Q3.1 through 2023.Q3.7 and 2023.Q4.0 through 2023.Q4.5 a medium severity vulnerability CVE-2025-62240 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted payloads in Calendar event fields, including a user’s First Name, Middle Name, or Last Name text fields. Users should update Liferay Portal to 7.4.3.112 and Liferay DXP to 2024.Q1.1, 2023.Q4.6, or 2023.Q3.8. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62240.
Read more CMSIn Kibana versions 7.0.0 through 7.17.29, 8.0.0 through 8.18.7, 8.19.0 through 8.19.3, 9.0.0 through 9.0.6, and 9.1.0 through 9.1.3, a high severity vulnerability CVE-2025-25017 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via improperly neutralized input during web page generation in Vega visualizations. Users should update Kibana to versions 8.18.8, 8.19.4, 9.0.7, or 9.1.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25017.
Read more Data AnalyticsIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-62248 was detected. This vulnerability allows a remote authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter, leading to code execution in the victim’s browser when visiting a crafted URL. To address this issue, users should update to Liferay DXP 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62248.
Read more CMS