Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-4576Cross-site Scripting in DXP

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.9MEDIUMNVD
EPSS
5.6%
top 9.68%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Liferay DXPLiferay PortalLiferay Digital Experience Platform+1 more
Timeline
PublishedAug 8

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages4 packages

CVEListV5liferay/portal7.4.07.4.3.132
NVDliferay/liferay_portal7.4.07.4.3.133
CVEListV5liferay/dxp7.4.137.4.13-u92+5
NVDliferay/digital_experience_platform2024.q1.12024.q1.15+5

🔴Vulnerability Details

3
CVEList
CVE-2025-4576: A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 72025-08-08
OSV
Liferay Portal Reflected XSS in blogs-web2025-08-08
GHSA
Liferay Portal Reflected XSS in blogs-web2025-08-08

💥Exploits & PoCs

1
Nuclei
Liferay Portal & DXP - Cross-Site Scripting
CVE-2025-4576 — Cross-site Scripting in Liferay DXP | cvebase