Liferay vulnerability scanner: How to detect and remediate CVEs in Liferay Portal and DXP

The Liferay security problem in 2026

Liferay Portal and Liferay DXP power mission-critical enterprise systems – including partner platforms at organizations such as Volkswagen Group and Škoda Auto, customer portals at financial institutions like Allianz, and internal systems at global enterprises such as Air France and Fujitsu. With more than 1,000 organizations worldwide relying on the platform (based on Liferay’s IDC MarketScape announcement), vulnerabilities in Liferay are not theoretical risks – they directly impact business operations.

That risk profile has intensified sharply. More than 80 vulnerabilities were published against Liferay Portal alone in 2025, according to aggregated NVD data from stack.watch, roughly doubling the 42 vulnerabilities disclosed in 2024. Across both Portal and DXP product lines, total disclosures exceed that figure, reflecting a clear upward trend in vulnerability volume.

At the same time, exploitation timelines continue to shrink. Industry reporting based on Rapid7 research shows that high-risk vulnerabilities are now weaponized and added to exploitation catalogs within days, with median time to inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog dropping to around five days (as reported by CSO Online).

This creates a structural problem for Liferay operators. The platform’s quarterly release cadence and complex upgrade paths mean that patching is rarely immediate. More importantly, for some Liferay version tracks, this is not just a delay – it is a permanent exposure window. Certain vulnerabilities cannot be patched on older versions at all, meaning systems remain vulnerable until a full upgrade is completed.

The practical challenge is not just knowing that vulnerabilities exist – it is determining which CVEs affect your specific Liferay version and which are actually exploitable in your running application. Manually cross-referencing version numbers against vulnerability databases is slow and does not confirm exploitability. Automated scanning solves this by fingerprinting your deployment and validating applicable vulnerabilities directly.

Why Liferay installations are particularly exposed

The maintenance mode trap

Many enterprise organizations run Liferay versions such as 7.3.x or early 7.4.x under “Maintenance Mode.” While technically supported, these versions often do not receive full security backports.

A clear example is CVE-2022-42126, which affects Liferay Portal versions 7.3.5 through 7.4.3.28. These versions remain vulnerable with no patch available in the 7.3.x track. The only remediation path is upgrading to a newer release line.

This creates a growing backlog of unresolved vulnerabilities that cannot be addressed incrementally and forces organizations into complex, time-consuming upgrade projects.

Version fingerprinting exposure

By default, Liferay exposes version information in HTTP response headers. This allows attackers to quickly identify the exact version of a target system and match it against known CVEs.

Instead of probing blindly, attackers can build a precise list of applicable exploits within seconds. Version disclosure effectively turns publicly accessible portals into self-identifying targets.

The authenticated attack surface

In enterprise Liferay deployments, large populations of authenticated users – including partners, customers, and employees – create a broad, low-barrier attack surface.

Many recent vulnerabilities allow authenticated users to:

• Access restricted data
• Bypass authorization controls
• Inject malicious content into shared components

This significantly increases real-world risk, as attackers may only need to compromise a low-privilege account to begin exploiting vulnerabilities.

High vulnerability density across modules

Liferay is a modular platform with dozens of components, including Web Content, Dynamic Data Mapping, Asset Libraries, Blogs, and Calendar.

Each module has its own vulnerability history. In 2025 alone, vulnerabilities were distributed across more than a dozen components, increasing the likelihood that any given deployment contains multiple exposed weaknesses.

Manually auditing this entire surface is not practical. Automated scanning is required to systematically test all exposed functionality and identify issues that are actually reachable in the running application.

Critical Liferay vulnerabilities to scan for in 2026

The following vulnerability classes represent the active risk profile for Liferay Portal and DXP installations. Each category includes real CVEs that can be detected through automated scanning and validated against your specific deployment.

Remote code execution – CVE-2020-7961

CVE-2020-7961 is one of the most critical Liferay vulnerabilities to date. It is a CVSS 9.8 vulnerability that allows unauthenticated remote code execution via unsafe deserialization in the JSON web services API.

No authentication is required and the vulnerability is exploitable over the network with no user interaction. It is also listed in CISA’s KEV, confirming active exploitation in real-world environments.

The vulnerability is exposed through the /api/jsonws endpoint, which can be probed directly to determine whether unsafe deserialization is possible in the running application. Automated scanning identifies whether the endpoint is accessible and whether the application is running a vulnerable version.

Broken access control and information disclosure

Access control failures are a recurring issue across Liferay modules and are especially difficult to detect without runtime testing. Key examples include:

• CVE-2022-42126 – Authorization bypass affecting Liferay Portal 7.3.5 through 7.4.3.28
• CVE-2025-62247 – Cross-instance data exposure via blueprint providers
• CVE-2025-43758 – Unauthorized access to uploaded files before submission
• CVE-2025-43773 – Improper access to internal data structures

These vulnerabilities often require only authenticated access, making them easier to exploit in real-world environments with large user populations.

Automated scanning is critical because it validates whether these authorization gaps are actually reachable in your deployment rather than simply identifying theoretical weaknesses.

Cross-site scripting (XSS)

XSS remains the most prevalent vulnerability class in Liferay deployments. Recent XSS CVEs include:

• CVE-2025-62240 – Calendar Events module
• CVE-2025-62267 – Web Content templates
• CVE-2025-43778, CVE-2025-43746, CVE-2025-43757, CVE-2025-62248 – Dynamic Data Mapping variants
• CVE-2025-43807 – Publication notifications
• CVE-2025-62264 – Language override feature

Affected versions span multiple Liferay Portal 7.4.x builds and corresponding DXP quarterly releases through at least early 2025. Version-specific impact should be verified against Liferay’s official known vulnerabilities database for precise coverage.

In Liferay environments, XSS carries elevated risk because content created by non-admin users is often rendered in privileged contexts. A stored payload inserted into a web content template or calendar event may execute in an administrator’s browser, enabling session hijacking or privilege escalation.

Automated scanning detects both reflected and stored XSS and verifies whether payloads can execute within real application workflows.

Denial of service (DoS)

Several 2025 vulnerabilities introduce persistent availability risks:

• CVE-2025-43816 – Memory leaks leading to gradual service degradation
• CVE-2025-43801 – XML-RPC request handling causing service crashes
• CVE-2025-43796 – Resource exhaustion via targeted endpoint abuse

These vulnerabilities affect specific Liferay DXP quarterly releases and depend on exposed services such as XML-RPC endpoints and resource-intensive request handling. Automated scanning verifies whether these endpoints are accessible and susceptible in the deployed environment.

Insecure configuration

Two configuration-level issues affect many Liferay installations regardless of version:

• DNS rebinding vulnerabilities due to insecure default settings
• Version disclosure via HTTP headers

These weaknesses reduce the effort required for attackers to identify and exploit vulnerable systems.

Cryptographic weakness – CVE-2024-25607

CVE-2024-25607 is a high-severity vulnerability with a CVSS score of 8.1. It affects Liferay Portal versions 7.2.0 through 7.4.3.15 and Liferay DXP versions prior to their respective fixed updates, including 7.4 before update 16, 7.3 before update 4, and 7.2 before fix pack 17.

It involves weak password hashing configurations using PBKDF2-HMAC-SHA1 with insufficient work factors. In breach scenarios, this significantly reduces the time required to crack exposed password hashes.

Automated scanning identifies affected versions and highlights the need for stronger cryptographic configurations or upgrades.

How Acunetix scans Liferay Portal and DXP for vulnerabilities

Version fingerprinting

Acunetix identifies the installed Liferay version using multiple signals, including HTTP headers, HTML patterns, and file paths.

This allows the scanner to focus only on relevant CVEs, improving accuracy and eliminating unnecessary noise from irrelevant checks.

Known CVE checks

Acunetix includes a dedicated library of Liferay-specific vulnerability checks, covering:

• Remote code execution vulnerabilities
• Authentication bypass issues
• Cross-site scripting across modules
• XXE and file upload vulnerabilities
• Authorization failures
• Outdated installation detection
• Version disclosure

For Liferay-specific findings, results map directly to known CVEs and align with publicly documented vulnerability references, allowing teams to quickly correlate findings with remediation guidance.

Authenticated scanning

Many Liferay vulnerabilities are only accessible after login. Acunetix supports authenticated scanning through form-based authentication, token-based methods, and session management.

This includes support for Liferay’s JSON web services and API endpoints, where authentication is often handled via session tokens or custom headers rather than standard login flows.

AcuMonitor for out-of-band detection

Some vulnerabilities, such as blind XSS or SSRF, do not produce immediate responses during scanning.

In Liferay environments, this often occurs when a content editor injects a payload into a web content template or calendar event, which is later rendered in an administrator’s browser session. AcuMonitor detects these cases through out-of-band callbacks, confirming vulnerabilities that would otherwise remain invisible.

Continuous scanning

With vulnerability disclosures increasing and exploitation timelines shrinking, point-in-time testing is not sufficient.

Acunetix supports scheduled and continuous scanning to ensure that:

• Newly disclosed vulnerabilities are tested automatically
• Patches are verified after deployment
• Regression issues are identified early

This is essential in Liferay environments where quarterly releases can introduce both fixes and new vulnerabilities.

Remediation priorities for Liferay Portal and DXP in 2026

1. Upgrade from 7.3.x

Versions in the 7.3.x track have known vulnerabilities with no available patches. These systems should be prioritized for upgrade to a newer track.

2. Align with current DXP releases

Modern Liferay DXP releases (2024.Q1 and later) address the majority of recent CVEs. Organizations should align upgrade strategies with quarterly releases to minimize exposure.

3. Suppress version disclosure

Removing version information from HTTP headers prevents attackers from quickly identifying applicable vulnerabilities.

4. Fix insecure defaults

Configuration issues such as DNS rebinding protection should be addressed immediately.

5. Assess exposure from past vulnerabilities

For vulnerabilities involving data access, organizations should evaluate whether sensitive data may have been exposed during the vulnerable period.

6. Scan continuously

A Ponemon Institute and ServiceNow study found that up to 60% of organizations that experienced a breach reported a known but unpatched vulnerability as the root cause. Automated scanning in a continuous process ensures that newly disclosed vulnerabilities are identified and addressed before they can be exploited.

Scan your Liferay installation today

If you are running Liferay Portal 7.3.x, early 7.4.x, or an outdated DXP release, your environment may already be affected by known vulnerabilities.

Acunetix fingerprints your installed version, maps it against known CVEs, and validates which vulnerabilities are actually exploitable in your running application. This removes the need for manual analysis and helps teams focus on fixing real risks.

Get a demo or browse the Acunetix vulnerability index to explore several hundred Liferay-related vulnerability checks that are available in Acunetix to identify exposure and prioritize remediation.

FAQs about Liferay vulnerability scanning