CVE-2025-43807

Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication’s “Name” text field.

Published: Sep 22, 2025
Updated: Sep 23, 2025
CVE: CVE-2025-43807
GHSA: GHSA-jh9h-8xf2-25wj
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.change.tracking.service	-	3.0.91

https://github.com/liferay/liferay-portal/commit/aaf32ff25affc0d63adc79abaedc9f565f033789
https://liferay.atlassian.net/browse/LPE-17923
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43807

Vulnerability Database

CVE-2025-43807

Deep Security Visibility Without the Complexity