CVE-2025-43756

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.

Published: Aug 21, 2025
Updated: Aug 23, 2025
CVE: CVE-2025-43756
GHSA: GHSA-q2gv-w583-f2vq
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.4.3.132-ga132	7.4.3.132-ga132.x

https://github.com/liferay/liferay-portal/commit/6228bb1142e748342d3f170bf104f458ff59ddb2
https://github.com/liferay/liferay-portal/commit/af4fc9238782c9f2f977d6b9d090ab7b9424dace
https://liferay.atlassian.net/browse/LPE-18266
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43756

Vulnerability Database

CVE-2025-43756