CVE-2025-43766: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2025-43766 affects Liferay Portal and Liferay DXP systems, discovered and disclosed on August 23, 2025. The vulnerability allows attackers to upload unrestricted files in the style books component that can be processed within the environment, enabling arbitrary code execution. The affected versions include Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP versions spanning 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 (Liferay Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 6.8 (Medium) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N. This indicates that the vulnerability requires high privileges and active user interaction to exploit, with a network attack vector. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability can lead to arbitrary code execution within the affected environment. The CVSS scoring indicates high impact on system integrity (VI:H), with lower impacts on confidentiality (VC:L) and availability (VA:L). There are no subsequent cascade effects on other systems (SC:N, SI:N, SA:N) (Liferay Advisory).

Liferay has released fixed versions to address this vulnerability: Liferay Portal 7.4.3.132, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q4.1, and Liferay DXP 2025.Q1.0. Organizations are advised to upgrade to these patched versions (Liferay Advisory).