CVE-2025-43733

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7 allows a remote authenticated attacker to inject JavaScript code via the content page's name field. This malicious payload is then reflected and executed within the user's browser when viewing the "document View Usages" page.

Published: Aug 18, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-43733
GHSA: GHSA-vhcr-hgc8-29qr
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.layout.taglib	-	17.0.0

https://github.com/liferay/liferay-portal/commit/2135a88adb8c7f1a6cb4fbd768fef3b08953a50c
https://liferay.atlassian.net/browse/LPE-18218
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43733

Vulnerability Database

CVE-2025-43733