CVE-2025-43826: Liferay Portal Vulnerable to XSS in Web Content translation

October 1, 2025 (updated December 17, 2025)

Stored Cross-site Scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allow remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article.

References

github.com/advisories/GHSA-qh92-cr5f-3595
github.com/liferay/liferay-portal
liferay.atlassian.net/browse/LPE-17939
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43826
nvd.nist.gov/vuln/detail/CVE-2025-43826

Code Behaviors & Features

Detect and mitigate CVE-2025-43826 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →