CVE-2025-43774

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.

Published: Sep 9, 2025
Updated: Sep 11, 2025
CVE: CVE-2025-43774
GHSA: GHSA-qgj5-4qvg-2f8c
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.frontend.taglib.clay	-	15.2.1

https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/e15df92e3faa3abbf38e3643b79ab8cf2983d6df
https://liferay.atlassian.net/browse/LPE-18222
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43774

Vulnerability Database

CVE-2025-43774

Deep Security Visibility Without the Complexity