CVE-2025-43748 HIGH

CVE-2025-43748

Vendor Liferay
Product Portal
Weakness CWE-352 · CSRF
Published August 20, 2025
Last update February 26, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery

Key dates

02Disclosure timeline

August 20, 2025 CVE published
February 26, 2026 Record updated