Home > Vulnerability Database > CVE-2025-43774

Mend.io Vulnerability Database

CVE-2025-43774

Good to know:

Date: September 8, 2025

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote authenticated user to inject JavaScript code via Style Book theme name. This malicious payload is then reflected and executed within the user's browser.

Severity Score

4.4

Related Resources (6)

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43774

Url: https://github.com/liferay/liferay-portal

Url: https://liferay.atlassian.net/browse/LPE-18222

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43774

Url: https://github.com/liferay/liferay-portal/commit/e15df92e3faa3abbf38e3643b79ab8cf2983d6df

Url: https://www.mend.io/vulnerability-database/CVE-2025-43774

Severity Score

4.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version com.liferay:com.liferay.frontend.taglib.clay:15.2.1

Learn More

CVSS v3.1

Base Score:	4.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43774

Good to know:

Date: September 8, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?