341 CVEs

1 in CISA KEV

Liferay Vulnerabilities

CVE security advisories and vulnerability history for Liferay.

341

Total CVEs

Published

1

In CISA KEV

Exploited in the wild

19

Public exploits

With known exploit

6.0

Avg CVSS

2005–2025

Overview

Liferay has 341 published CVE records since 2005, of which 1 are in CISA's Known Exploited Vulnerabilities catalog and 19 have a known public exploit. The average CVSS base score across scored CVEs is 6.0.

This page aggregates every publicly disclosed vulnerability (CVE) affecting Liferay products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of Liferay's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical27

High24

Medium187

Low11

92 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

1

One of Liferay's CVEs is confirmed exploited in the wild.

Public exploits

19

19 of Liferay's CVEs have a known public exploit available.

Most affected products

The Liferay products with the most published CVEs.

liferay portal319 CVEs
liferay-portal299 CVEs
digital experience platform264 CVEs
DXP243 CVEs
Portal210 CVEs
com.liferay.portal:release.portal.bom159 CVEs
com.liferay.portal:release.dxp.bom125 CVEs
liferay45 CVEs

Common weakness types

The CWE weakness categories most often found in Liferay CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish Liferay CVE records.

Disclosure activity by year

How many Liferay CVEs were published each year.

2018

2

2019

4

2020

9

2021

34

2022

49

2023

27

2024

43

2025

144

Latest Liferay CVEs

The most recently disclosed vulnerabilities affecting Liferay.

Medium vulnerability · 2025-11-01
CWE-863
Medium · CVSS 6.9
EPSS 0.1%2025-11-01
Medium vulnerability · 2025-10-31
CWE-525
Medium · CVSS 4.6
EPSS 0.0%2025-10-31
Medium vulnerability · 2025-10-31
CWE-79
Medium · CVSS 4.6
EPSS 0.0%2025-10-31
Medium vulnerability · 2025-10-31
CWE-79
Medium · CVSS 5.1
EPSS 0.0%2025-10-31
Medium vulnerability · 2025-10-30
CWE-79
Medium · CVSS 4.8
EPSS 0.0%2025-10-30
Medium vulnerability · 2025-10-30
CWE-601
Medium · CVSS 5.1
EPSS 0.0%2025-10-30
Medium vulnerability · 2025-10-29
CWE-307
Medium · CVSS 6.3
EPSS 0.0%2025-10-29
High vulnerability · 2025-10-27
CWE-352
High · CVSS 7.0
EPSS 0.0%2025-10-27
Medium vulnerability · 2025-10-27
CWE-863
Medium · CVSS 6.9
EPSS 0.1%2025-10-27
High vulnerability · 2025-10-27
CWE-400
High · CVSS 7.1
EPSS 0.2%2025-10-27
Medium vulnerability · 2025-10-27
CWE-312
Medium · CVSS 6.9
EPSS 0.0%2025-10-27
Medium vulnerability · 2025-10-27
CWE-532
Medium · CVSS 4.6
EPSS 0.0%2025-10-27

Track new Liferay CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor Liferay CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

rockwellautomation353 CVEs Synology347 CVEs openbsd346 CVEs sourceware339 CVEs zyxel334 CVEs asus334 CVEs HCL Software332 CVEs cybozu330 CVEs

Browse all vendors

Frequently asked questions

Common questions about Liferay vulnerabilities.

How many CVEs does Liferay have?

Liferay has 341 published CVE records since 2005, including 144 in the last two years.

How many Liferay CVEs are in CISA KEV?

Yes — 1 of Liferay's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which Liferay products have the most CVEs?

The Liferay products with the most published CVEs are liferay portal, liferay-portal, digital experience platform, DXP, Portal.

What are the most common weakness types in Liferay CVEs?

Liferay's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')).

Are there public exploits for Liferay vulnerabilities?

Yes — 19 of Liferay's CVEs have a known public exploit.

How many critical Liferay vulnerabilities are there?

Liferay has 27 critical and 24 high-severity CVEs.

What is the average severity of Liferay CVEs?

The average CVSS base score across Liferay's scored CVEs is 6.0.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track Liferay vulnerabilities

Monitor new Liferay vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing