CVE-2025-62255

Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

Published: Oct 23, 2025
Updated: Nov 4, 2025
CVE: CVE-2025-62255
GHSA: GHSA-gccf-r9xp-x8jx
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.knowledge.base.web	-	5.0.109

https://github.com/liferay/liferay-portal/commit/46dd9b77cc2514761828d9b483a1dfe5d6e6b76d
https://liferay.atlassian.net/browse/LPE-17842
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62255

Vulnerability Database

CVE-2025-62255

Deep Security Visibility Without the Complexity