CVE-2025-43781

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet

Published: Sep 9, 2025
Updated: Sep 12, 2025
CVE: CVE-2025-43781
GHSA: GHSA-x5fw-8xgx-q6c9
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.portal.search.web	6.0.125	6.0.143

https://github.com/liferay/liferay-portal/commit/f6483b5cff5c07b562c52f9eec336b2ebc9eeacd
https://liferay.atlassian.net/browse/LPE-18124
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43781

Vulnerability Database

CVE-2025-43781

Deep Security Visibility Without the Complexity