Liferay Liferay_portal
319 CVEs affecting Liferay Liferay_portal. Latest disclosed: 2025-11-01. Critical: 31, High: 41.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-43766 | Critical | 9.8 | 2025-08-23 | The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12… |
CVE-2025-3594 | Critical | 9.8 | 2025-06-16 | Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through u… |
CVE-2021-33990 | Critical | 9.8 | 2023-04-16 | Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the… |
CVE-2022-42122 | Critical | 9.8 | 2022-11-15 | A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute a… |
CVE-2022-42120 | Critical | 9.8 | 2022-11-15 | A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 al… |
CVE-2020-7961 | Critical | 9.8 | 2020-03-20 | Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS). |
CVE-2019-16891 | Critical | 9.8 | 2019-10-04 | Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. |
CVE-2024-8980 | Critical | 9.6 | 2024-10-22 | The Script Console in Liferay Portal 7.0.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35… |
CVE-2024-26269 | Critical | 9.6 | 2024-02-21 | Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38… |
CVE-2023-42498 | Critical | 9.6 | 2024-02-21 | Reflected cross-site scripting (XSS) vulnerability in the Language Override edit screen in Liferay Portal 7.4.3.8 through 7.4.3.97, and Liferay DXP 2023.Q3 bef… |
CVE-2023-42496 | Critical | 9.6 | 2024-02-21 | Reflected cross-site scripting (XSS) vulnerability on the add assignees to a role page in Liferay Portal 7.3.3 through 7.4.3.97, and Liferay DXP 2023.Q3 before… |
CVE-2024-25147 | Critical | 9.6 | 2024-02-21 | Cross-site scripting (XSS) vulnerability in HtmlUtil.escapeJsLink in Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 be… |
CVE-2024-25145 | Critical | 9.6 | 2024-02-07 | Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported… |
CVE-2023-47797 | Critical | 9.6 | 2023-11-17 | Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject… |
CVE-2023-42627 | Critical | 9.6 | 2023-10-17 | Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and e… |
CVE-2023-44311 | Critical | 9.6 | 2023-10-17 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7… |
CVE-2023-42497 | Critical | 9.6 | 2023-10-17 | Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before up… |
CVE-2025-43773 | Critical | 9.1 | 2025-08-29 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 20… |
CVE-2024-38002 | Critical | 9.0 | 2024-10-22 | The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through upda… |
CVE-2023-47795 | Critical | 9.0 | 2024-02-21 | Stored cross-site scripting (XSS) vulnerability in the Document and Media widget in Liferay Portal 7.4.3.18 through 7.4.3.101, and Liferay DXP 2023.Q3 before p… |