com.liferay.portal:com.liferay.portal.impl (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package com.liferay.portal:com.liferay.portal.impl, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (18)
CVE-2021-29050 — CVSS 8.8 (high): Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service…
CVE-2025-43813 — CVSS 8.2 (high): Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older…
CVE-2025-43768 — CVSS 7.7 (high): Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through…
CVE-2025-62254 — CVSS 7.5 (high): The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2…
CVE-2021-33321 — CVSS 7.5 (high): Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user…
CVE-2021-33322 — CVSS 7.5 (high): In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 18, and 7.2 before fix pack 5, password…
CVE-2025-43793 — CVSS 7.5 (high): Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA…
CVE-2025-43801 — CVSS 7.5 (high): Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and…
CVE-2025-62261 — CVSS 6.5 (medium): Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update…
CVE-2025-62249 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through…
CVE-2025-43735 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through…
CVE-2025-62276 — CVSS 5.5 (medium): The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay…
CVE-2020-15840 — CVSS 5.3 (medium): In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Liferay DXP 7.2, DXP 7.1 and DXP 7.0, the property 'portlet.resource.id.banned.pa…
CVE-2022-41414 — CVSS 5.3 (medium): An insecure default in the component auth.login.prompt.enabled of Liferay Portal v7.0.0 through v7.4.2 allows attackers to enumerate…
CVE-2025-43794 — CVSS 4.8 (medium): Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP…
CVE-2025-62252 — CVSS 4.3 (medium): Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and…
CVE-2025-43809 — CVSS 4.3 (medium): Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and…
CVE-2022-26595 — CVSS 4.3 (medium): Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when…