CVE-2025-43778 — Liferay Portal is vulnerable to XSS attack through fieldset name in Kaleo Forms

Description

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the name of a fieldset in Kaleo Forms Admin. The malicious payload is stored and executed without proper sanitization or escaping.

How to fix CVE-2025-43778

To remediate CVE-2025-43778, upgrade the affected package to a fixed version below.

—upgrade to 5.0.107 or later

Is CVE-2025-43778 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.0.3, < 5.0.107

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43778
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/a540e050d0d939218cfb90b1e5b6c21244a834cb
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43778