CVE-2025-43781 — Liferay Portal is vulnerable to XSS attack through its search bar portlet

Description

A reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar portlet

How to fix CVE-2025-43781

To remediate CVE-2025-43781, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.portal.search.web—upgrade to 6.0.143 or later

Is CVE-2025-43781 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.125, < 6.0.143

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43781
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/f6483b5cff5c07b562c52f9eec336b2ebc9eeacd
WEBliferay.atlassian.net/browse/LPE-18124