Critical severityCISA KEVNVD Advisory· Published Mar 20, 2020· Updated Oct 21, 2025

CVE-2020-7961

Description

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:com.liferay.portal.kernelMaven	< 4.35.3	4.35.3

Affected products

Liferay/Liferay Portaldescription

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w7pm-cc4v-f3g8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-7961ghsaADVISORY
packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
packetstormsecurity.com/files/158392/Liferay-Portal-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
github.com/liferay/liferay-portal/blob/7.2.1-ga2/portal-kernel/bnd.bndghsaWEB
portal.liferay.dev/learn/security/known-vulnerabilitiesghsax_refsource_MISCWEB
portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271ghsax_refsource_CONFIRMWEB
research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnetghsaWEB
research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/mitrex_refsource_MISC
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000