Liferay Security Vulnerabilities (CVEs)

Track 134 security vulnerabilities affecting Liferay products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.

19 Critical

18 High

97 Medium

Sort by:

🔔 Get Alerts for Liferay

CVE-2025-43735 6.1

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote unauthenticated attackers to inject malicious JavaScript ...

Aug 12, 2025

CVE-2025-43736 4.3

This CVE describes a Denial of Service vulnerability in Liferay Portal and DXP where authenticated users can upload profile pictures larger than the 3...

Aug 12, 2025

CVE-2025-4581 8.6

This CVE describes a pre-authentication blind Server-Side Request Forgery (SSRF) vulnerability in Liferay Portal and DXP. Attackers can force vulnerab...

Aug 9, 2025

CVE-2025-4604 6.1

This vulnerability allows attackers to bypass CAPTCHA verification in Liferay Portal/DXP, enabling them to execute arbitrary scripts in the Gogo shell...

Aug 4, 2025

CVE-2025-4599 6.1

This vulnerability allows remote unauthenticated attackers to execute cross-site scripting (XSS) attacks via the fragment preview functionality in Lif...

Aug 4, 2025

CVE-2025-3526 7.5

This vulnerability in Liferay Portal and DXP allows remote attackers to cause denial-of-service by consuming system memory through crafted HTTP reques...

Jun 16, 2025

CVE-2025-3594 9.8

A path traversal vulnerability in Liferay Portal and DXP allows remote attackers to write arbitrary files to server locations and download/execute arb...

Jun 16, 2025

CVE-2025-3602 7.5

This vulnerability allows remote attackers to perform denial-of-service attacks on Liferay Portal/DXP by sending complex GraphQL queries that overwhel...

Jun 16, 2025

CVE-2025-2565 4.3

This vulnerability allows unauthorized users to access form entry data in affected Liferay versions. It affects Liferay Portal 7.4.0-7.4.3.126 and mul...

Mar 20, 2025

CVE-2023-37940 4.8

This is a cross-site scripting (XSS) vulnerability in Liferay Portal and DXP that allows attackers to inject malicious scripts into the Service Access...

Dec 17, 2024

CVE-2024-11993 6.1

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts via the Dispatch name fiel...

Dec 17, 2024

CVE-2024-8980 9.6

This CSRF vulnerability in Liferay's Script Console allows attackers to execute arbitrary Groovy code on affected servers by tricking authenticated ad...

Oct 22, 2024

CVE-2024-38002 9.0

This vulnerability allows remote authenticated users to modify workflow definitions in Liferay Portal/DXP, leading to arbitrary code execution (RCE). ...

Oct 22, 2024

CVE-2024-26271 8.8

This CSRF vulnerability in Liferay Portal/DXP allows attackers to trick authenticated users into performing unauthorized actions by clicking malicious...

Oct 22, 2024

CVE-2024-26273 8.8

A CSRF vulnerability in Liferay Portal and DXP allows attackers to trick authenticated administrators into performing unauthorized actions. Attackers ...

Oct 22, 2024

CVE-2023-47795 9.0

This stored XSS vulnerability allows authenticated attackers to inject malicious scripts into document titles in Liferay's Document and Media widget. ...

Feb 21, 2024

CVE-2024-26266 9.0

This CVE describes multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal and DXP. Authenticated attackers can inject malicious ...

Feb 21, 2024

CVE-2023-42498 9.6

This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into the Language Overr...

Feb 21, 2024

CVE-2023-40191 9.0

This reflected cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows remote attackers to inject malicious scripts into the 'Blocke...

Feb 21, 2024

CVE-2024-25601 9.0

This stored cross-site scripting (XSS) vulnerability in Liferay's Expando module allows authenticated attackers to inject malicious scripts into geolo...

Feb 21, 2024

CVE-2024-25147 9.6

This cross-site scripting (XSS) vulnerability in Liferay's HtmlUtil.escapeJsLink function allows attackers to inject malicious JavaScript or HTML thro...

Feb 21, 2024

CVE-2024-25610 9.0

This vulnerability allows remote authenticated users to inject malicious JavaScript or HTML into blog entries in Liferay Portal/DXP, leading to cross-...

Feb 20, 2024

CVE-2024-25606 8.0

This XXE vulnerability in Liferay Portal and DXP allows authenticated attackers with deployment permissions to read sensitive files or cause denial of...

Feb 20, 2024

CVE-2024-25145 9.6

This stored XSS vulnerability in Liferay's Portal Search module allows authenticated attackers to inject malicious scripts into search results when hi...

Feb 7, 2024

CVE-2023-47797 9.6

This reflected cross-site scripting (XSS) vulnerability in Liferay Portal allows remote attackers to inject malicious scripts or HTML via the p_l_back...

Nov 17, 2023

CVE-2023-42627 9.6

This vulnerability allows remote attackers to inject malicious scripts into multiple address fields in Liferay's Commerce module. When exploited, thes...

Oct 17, 2023

CVE-2023-42628 9.0

This stored XSS vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into wiki pages through the content field. When other...

Oct 17, 2023

CVE-2023-44310 9.0

A stored cross-site scripting (XSS) vulnerability in Liferay Portal and DXP allows attackers to inject malicious scripts into page names. When users v...

Oct 17, 2023

CVE-2023-42629 9.0

This stored cross-site scripting (XSS) vulnerability in Liferay Portal/DXP allows attackers to inject malicious scripts into vocabulary descriptions. ...

Oct 17, 2023

CVE-2023-42497 9.6

This reflected cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into the Export for Translation page of affected ...

Oct 17, 2023

CVE-2021-38266 7.5

This vulnerability in Liferay Portal's Portal Security module allows remote attackers to perform account lockout attacks by attempting to authenticate...

Mar 2, 2022

CVE-2020-28884 7.2

CVE-2020-28884 is an OS command injection vulnerability in Liferay Portal Server that allows authenticated administrators to execute arbitrary operati...

Jan 28, 2022

CVE-2021-33321 7.5

This vulnerability allows remote attackers to enumerate user email addresses through Liferay's forgot password functionality due to an insecure defaul...

Aug 3, 2021

CVE-2021-33323 7.5

This vulnerability in Liferay Portal's Dynamic Data Mapping module allows unauthenticated remote attackers to view form values that were autosaved by ...

Aug 3, 2021

← Previous Page 3 of 3

Why Monitor Liferay Security Vulnerabilities?

Real-time CVE tracking: Our automated system monitors 134+ known vulnerabilities affecting Liferay products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.

Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Liferay packages in under 60 seconds. No agents required - completely agentless scanning that works across Liferay deployments.

Free vulnerability database: Access detailed information about every Liferay CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.

🚀 Get Started in 60 Seconds

Register free account & add your servers
Run one-time scan or schedule automatic monitoring (every 1-24 hours)
Receive instant alerts when new Liferay CVEs affect your systems
Access dashboard with severity breakdown & fix instructions

Start Monitoring Liferay CVEs Free