CVE-2025-43766
- Source
- https://cve.org/CVERecord?id=CVE-2025-43766
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43766.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-43766
- Aliases
- Published
- 2025-08-23T05:15:32.023Z
- Modified
- 2026-04-12T16:55:20.586043Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers.
- References
Affected packages
Git / github.com/liferay/liferay-portal
Affected ranges
- Type
- GIT
- Repo
- https://github.com/liferay/liferay-portal
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "7.4-update1" }, { "introduced": "0" }, { "last_affected": "7.4-update2" }, { "introduced": "7.4.0" }, { "fixed": "7.4.3.132" } ] }
Affected versions
7.*
7.4.0-ga1
7.4.1-ga2
7.4.2-ga3
7.4.3.4-ga4
7.4.3.41-ga41
7.4.3.5-ga5
7.4.3.6-ga6
7.4.3.7-ga7
7.4.3.88-ga88
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"103302773237074788461801313682446763330",
"60853900272161977226321758184551802988",
"191378307748951099486338189471951812045",
"164880871512209417113954673574280468464",
"202485877113214607873722865538960039931",
"60853900272161977226321758184551802988",
"191378307748951099486338189471951812045",
"164880871512209417113954673574280468464"
]
},
"id": "CVE-2025-43766-0b9fe555",
"signature_type": "Line",
"source": "https://github.com/liferay/liferay-portal/commit/a9017d1f654503189fcd6eecd59bd501a7015b8c",
"deprecated": false,
"target": {
"file": "portal-kernel/src/com/liferay/portal/kernel/upgrade/BasePortletPreferencesUpgradeProcess.java"
},
"signature_version": "v1"
},
{
"digest": {
"function_hash": "170699539902466296749337177159259793854",
"length": 2763.0
},
"id": "CVE-2025-43766-98b65317",
"signature_type": "Function",
"source": "https://github.com/liferay/liferay-portal/commit/a9017d1f654503189fcd6eecd59bd501a7015b8c",
"deprecated": false,
"target": {
"function": "_upgradePortletPreferenceValues",
"file": "portal-kernel/src/com/liferay/portal/kernel/upgrade/BasePortletPreferencesUpgradeProcess.java"
},
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43766.json"
vanir_signatures_modified
"2026-04-12T16:55:20Z"
unresolved_ranges
[
{
"events": [
{
"introduced": "2024.Q1.1"
},
{
"fixed": "2024.Q1.14"
}
]
},
{
"events": [
{
"introduced": "2024.q2.0"
},
{
"last_affected": "2024.q2.13"
}
]
},
{
"events": [
{
"introduced": "2024.q3.1"
},
{
"last_affected": "2024.q3.13"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-NA"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update10"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update11"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update12"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update13"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update14"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update15"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update16"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update17"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update18"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update19"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update20"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update21"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update22"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update23"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update24"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update25"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update26"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update27"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update28"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update29"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update30"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update31"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update35"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update36"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update37"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update38"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update39"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update40"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update41"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update42"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update43"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update44"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update45"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update46"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update47"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update48"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update49"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update50"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update51"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update52"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update53"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update54"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update55"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update56"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update57"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update58"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update59"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update60"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update61"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update62"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update63"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update64"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update65"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update66"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update67"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update68"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update69"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update70"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update71"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update72"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update73"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update74"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update75"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update76"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update77"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update78"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update79"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update80"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update81"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update82"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update83"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update84"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update85"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update86"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update87"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update88"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update89"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update9"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update90"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update91"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4-update92"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2024.q4.0"
}
]
}
]