CVE-2025-43759

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.

Published: Aug 22, 2025
Updated: Aug 26, 2025
CVE: CVE-2025-43759
GHSA: GHSA-w3cr-3xw2-rp78
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-732

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.layout.impl	-	6.0.147

https://github.com/liferay/liferay-portal/commit/2e29e6733bc0e058bef89d16faac542bf2585346
https://github.com/liferay/liferay-portal/commit/e8cbc7c27e5ed51c4079dd62738713f31afb46f7
https://liferay.atlassian.net/browse/LPE-18185
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43759

Vulnerability Database

CVE-2025-43759