CVE-2025-43766

The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.

Published: Aug 23, 2025
Updated: Aug 26, 2025
CVE: CVE-2025-43766
GHSA: GHSA-mf9q-87xx-jgvv
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.style.book.web	-	2.0.117

https://github.com/liferay/liferay-portal/commit/d4a5b8fc9f88468168603ff8a1f9b81fa5b7c43e
https://liferay.atlassian.net/browse/LPE-18145
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43766

Vulnerability Database

CVE-2025-43766