CVE-2025-43766 — Liferay Portal allows unrestricted upload of file in the style books component

Description

The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.

How to fix CVE-2025-43766

To remediate CVE-2025-43766, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.style.book.web—upgrade to 2.0.117 or later

Is CVE-2025-43766 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.117

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43766
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/d4a5b8fc9f88468168603ff8a1f9b81fa5b7c43e
WEBliferay.atlassian.net/browse/LPE-18145