CVE-2025-43826: 
Java vulnerability analysis and mitigation

CVE-2025-43826 is a stored cross-site scripting (XSS) vulnerability affecting Liferay Portal versions 7.4.0 through 7.4.3.112 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability was discovered and disclosed on September 30, 2025 (NVD, Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML via any rich text field in a web content article's translation functionality. The CVSS v4.0 base score is 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers to execute arbitrary web scripts or inject HTML content through the web content translation feature, potentially affecting users who access the compromised content. The impact is considered medium severity with low confidentiality, integrity, and availability impacts (Liferay Advisory).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.113, Liferay DXP 2024.Q2.0, Liferay DXP 2024.Q1.3, and Liferay DXP 2023.Q4.9. Users are recommended to upgrade to these versions to mitigate the vulnerability (Liferay Advisory).