CVE-2025-43804 — Liferay search widget vulnerable to Cross-site Scripting

Description

There is a Cross-site scripting (XSS) vulnerability in Liferay Portal's Search widget . Versions 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allow remote attackers to inject arbitrary web scripts or HTML via the `_com_liferay_portal_search_web_portlet_SearchPortlet_userId` parameter.

How to fix CVE-2025-43804

To remediate CVE-2025-43804, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.portal.search—upgrade to 8.0.93 or later

Is CVE-2025-43804 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 8.0.93

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43804
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/141f3fc8379e56831fae45a5b2647e86dab9d265
WEBliferay.atlassian.net/browse/LPE-17892