Liferay Security Vulnerabilities (CVEs)
Track 134 security vulnerabilities affecting Liferay products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability allows remote users to access and edit content via APIs before changing their initial password in affected Liferay versions. It aff...
Sep 15, 2025This cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts or HTML into rich text fie...
Sep 15, 2025This CVE describes multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP that allow remote attackers to inject malicious scrip...
Sep 15, 2025This vulnerability allows remote authenticated users in Liferay Portal/DXP to exfiltrate data to attacker-controlled servers during remote staging ope...
Sep 15, 2025This vulnerability allows attackers who control a website sharing the same top-level domain (TLD) to read cookies set by Liferay applications. It affe...
Sep 15, 2025This stored XSS vulnerability allows authenticated Liferay instance administrators to inject malicious scripts into the CDN host configuration fields,...
Sep 15, 2025This CVE describes an open redirect vulnerability in Liferay Portal and DXP that allows attackers to redirect users to malicious external websites. Th...
Sep 12, 2025This vulnerability allows remote attackers to perform denial-of-service attacks on Liferay Portal/DXP by exploiting GraphQL queries that return unlimi...
Sep 12, 2025This vulnerability allows authenticated users in Liferay Portal/DXP to enumerate all organizations without proper permission checks. It affects Lifera...
Sep 12, 2025This vulnerability in Liferay Portal/DXP allows JSON Web Services to be invoked directly as classes, bypassing intended Service Access Policy controls...
Sep 12, 2025This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users to access, creat...
Sep 11, 2025An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP allows authenticated users to access workflow definitions by name v...
Sep 11, 2025This reflected cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows remote attackers to inject malicious scripts or HTML via the /c/p...
Sep 10, 2025This CVE describes an improper access control vulnerability in Liferay Portal and DXP where guest users (unauthenticated users) can access object entr...
Sep 10, 2025A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into the My Workflow Tasks pa...
Sep 10, 2025This vulnerability allows attackers to enumerate External Reference Codes (ERCs) in Liferay Portal/DXP by exploiting timing differences in server resp...
Sep 9, 2025A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts via the remote app tit...
Sep 9, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts via the search bar ...
Sep 9, 2025A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript through fiel...
Sep 9, 2025A server-side request forgery (SSRF) vulnerability in Liferay Portal and DXP allows attackers to manipulate custom object attachment fields to make un...
Sep 9, 2025This vulnerability allows authenticated admin users with Instance Administrator role to execute arbitrary Groovy scripts through Object actions in Lif...
Sep 1, 2025This vulnerability in Liferay Portal and DXP allows improper access through the expandoTableLocalService, potentially enabling unauthorized data acces...
Aug 29, 2025This vulnerability allows attackers to upload unrestricted files through Liferay's style books component, which are then processed within the environm...
Aug 23, 2025A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows unauthenticated remote attackers to inject malicious JavaScript int...
Aug 23, 2025This vulnerability allows authenticated users with Kaleo Workflow update permissions to submit malicious regular expressions in the Role Name search f...
Aug 23, 2025An open redirect vulnerability in Liferay Portal and DXP allows attackers to manipulate the /c/portal/edit_info_item parameter to redirect users to ma...
Aug 23, 2025This vulnerability allows authenticated users without specific permissions to access sensitive information of admin users via JSONWS APIs in Liferay P...
Aug 23, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote unauthenticated attackers to inject malicious JavaScript ...
Aug 23, 2025This vulnerability in Liferay Portal and DXP allows authenticated users to upload unlimited files through forms, which are stored in the document libr...
Aug 22, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows authenticated remote attackers to inject malicious JavaScript via th...
Aug 22, 2025This vulnerability allows remote attackers to determine if user accounts exist in Liferay Portal/DXP by exploiting the create account page. Attackers ...
Aug 22, 2025This vulnerability in Liferay Portal and DXP allows authenticated users to upload unlimited files through object entries attachment fields, which are ...
Aug 22, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated remote users to inject malicious JavaScript into e...
Aug 21, 2025This SSRF vulnerability in Liferay DXP allows attackers to bypass domain validation and make unauthorized server requests. Attackers can potentially a...
Aug 21, 2025This CVE describes a username enumeration vulnerability in Liferay Portal and DXP where attackers can determine if user accounts exist by analyzing se...
Aug 21, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated remote attackers to inject malicious JavaScript vi...
Aug 21, 2025This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability affecting omni-administrator users in Liferay Portal and DXP. Attackers can trick...
Aug 20, 2025This vulnerability allows unauthenticated remote users (including guest users) to upload malicious files to Liferay Portal/DXP systems by bypassing fi...
Aug 20, 2025This vulnerability allows unauthenticated users (guests) to access files uploaded via forms and stored in Liferay's document library by manipulating U...
Aug 20, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows authenticated attackers to inject malicious JavaScript via the _com_...
Aug 20, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows unauthenticated remote attackers to inject malicious JavaScript ...
Aug 20, 2025This vulnerability in Liferay Portal and DXP allows any authenticated user to enumerate other users' names by viewing their calendars. This informatio...
Aug 19, 2025A stored DOM-based XSS vulnerability in Liferay Portal and DXP allows attackers to inject malicious JavaScript via DDM structure field labels in the A...
Aug 19, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows authenticated attackers to inject malicious JavaScript via the backU...
Aug 19, 2025This CSRF vulnerability in Liferay Portal and DXP allows remote attackers to perform unauthorized actions on behalf of authenticated users by exploiti...
Aug 19, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated remote users to inject malicious JavaScript via a ...
Aug 19, 2025This vulnerability allows any authenticated user in Liferay Portal/DXP to modify email content sent through the calendar portlet, enabling phishing at...
Aug 19, 2025A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript through the ...
Aug 19, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated remote users to inject malicious JavaScript into m...
Aug 18, 2025A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows authenticated attackers to inject malicious JavaScript via the c...
Aug 12, 2025Why Monitor Liferay Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 134+ known vulnerabilities affecting Liferay products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Liferay packages in under 60 seconds. No agents required - completely agentless scanning that works across Liferay deployments.
Free vulnerability database: Access detailed information about every Liferay CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Liferay CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
