Denial Of Service (DoS)

Liferay Portal and Liferay DXP are vulnerable to denial-of-service DoS. The vulnerability is due to the absence of limits on the number of objects returned from Headless API requests, which allows an attacker to exploit the application by sending requests that retrieve an excessively large number...

Liferay Portal Vulnerable to DoS via Crafted Headless API Request

Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the endpoint parameter in Headless API. An attacker can perform unauthorized actions by tricking a user into making unintended requests. Remediation A fix was pushed into the master branch but not yet...

Allocation of Resources Without Limits or Throttling

Overview com.liferay:com.liferay.portal.vulcan.impl is a Liferay Portal Vulcan Implementation Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Headless API endpoint which does not limit the number of returned objects. An attacker can...

CVE-2025-62258

CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the endpoint parameter...

CVE-2025-62260

Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-servi...

EUVD-2025-31166

Malicious code in bioql PyPI...

CVE-2025-43816

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...

Liferay Portal and DXP vulnerable to a memory leak

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...

CVE-2025-43816

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...

CVE-2025-43816

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...

CVE-2025-43816

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...

CVE-2025-43816

CVE-2025-43816 describes a memory leak in the headless API for StructuredContents of Liferay Portal/DXP. Affected: Liferay Portal 7.4.0–7.4.3.119; Liferay Portal 7.4 GA up to update 92; Liferay DXP 2024.Q1.1–2024.Q1.5, 2023.Q4.0–2024.Q4.10, 2023.Q3.1–2023.Q3.10; related unsupported/older versions...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the workflow component. An attacker can gain unauthorized access to modify workflow definitions and execute arbitrary code by exploiting insufficient permission checks via the headless API. Remediation Upgrade...

PT-2024-27874

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.2 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP 7.4 GA through update 92 Liferay DXP 7.3 GA through update 36 Description The workflo...