What is the CVSS score of CVE-2025-3526?

CVE-2025-3526 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Digital Experience Platform are affected by CVE-2025-3526?

Liferay Portal and DXP instances are vulnerable to denial-of-service attacks that exhaust server memory through malicious HTTP requests, potentially taking production systems offline.. A patch is available.

How to fix or mitigate CVE-2025-3526?

Within 24 hours: Identify all Liferay Portal/DXP systems in production and their versions; confirm exposure against affected version list (7.0.0-7.4.3.21, DXP 7.4 GA-U9, 7.3 GA-U25, older versions). Within 7 days: Implement network-level controls and WAF rules to detect/block suspicious parameter injection patterns; configure session timeout limits and memory monitoring alerts. Within 30 days: Evaluate upgrade path to patched Liferay version; engage vendor for patch availability; implement comprehensive request parameter validation at application layer.

Digital Experience Platform CVE-2025-3526

EUVD-2025-18403 HIGH

Uncontrolled Resource Consumption (CWE-400)

2025-06-16 security@liferay.com

GHSA-mf3r-6m25-3867

Information Disclosure Digital Experience Platform Liferay Portal

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18403

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

CVE Published

Jun 16, 2025 - 15:15 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 maven packages depend on com.liferay.portal:com.liferay.portal.kernel (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 38.0.0.

DescriptionCVE.org

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

AnalysisAI

A security vulnerability in Liferay Portal 7.0.0 (CVSS 7.5) that allows remote attackers. High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-400 (Uncontrolled Resource Consumption). CVSS 7.5 indicates high severity. Affects Liferay Portal 7.0.0.

RemediationAI

Monitor vendor channels for patch availability.

CVE-2025-3526 vulnerability details – vuln.today

Back

Digital Experience Platform CVE-2025-3526

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code