Medium severity6.1NVD Advisory· Published Apr 25, 2022· Updated Jun 17, 2026
CVE-2022-26596
CVE-2022-26596
Description
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.journal.content.webMaven | < 5.0.15 | 5.0.15 |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.0, < 7.0.10.fp94 | 7.0.10.fp94 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.0, < 7.1.10.fp19 | 7.1.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.0, < 7.2.10.fp8 | 7.2.10.fp8 |
Affected products
3- osv-coords3 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.journal.content.webpkg:maven/com.liferay.portal/release.dxp.bom
>= 7.0.0, <= 7.0.0+ 2 more
- (no CPE)range: >= 7.0.0, <= 7.0.0
- (no CPE)range: < 5.0.15
- (no CPE)range: >= 7.0.0, < 7.0.10.fp94
Patches
Vulnerability mechanics
References
5- liferay.comnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-w7f2-6896-6mm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26596ghsaADVISORY
- github.com/liferay/liferay-portal/commit/c61976fc867f3add8eb429b99380e91f021f9313ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-26596-stored-xss-with-template-nameghsaWEB
News mentions
0No linked articles in our index yet.