Home > Vulnerability Database > CVE-2025-62246

Mend.io Vulnerability Database

CVE-2025-62246

Good to know:

Date: October 13, 2025

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions.

Severity Score

5.5

Related Resources (6)

Url: https://liferay.atlassian.net/browse/LPE-17940

Url: https://github.com/liferay/liferay-portal

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62246

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62246

Url: https://github.com/liferay/liferay-portal/commit/4218ecd902dbd860d3f9ee233b0ffa4c822a49ee

Url: https://www.mend.io/vulnerability-database/CVE-2025-62246

Severity Score

5.5

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version com.liferay:com.liferay.mentions.web:6.0.35

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62246

Good to know:

Date: October 13, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?