CVE-2022-26594: Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP...
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.5 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allow remote attackers to inject arbitrary web script or HTML via a form field's help text to (1) Forms module's form builder, or (2) App Builder module's object form view's form builder.
Security readout for executives and security teams
Plain-English summary
This vulnerability lets a remote attacker place unwanted web script or HTML into Liferay form field help text. If triggered in the Forms or App Builder form builders, it could affect users viewing or managing those forms. The source bundle does not provide a CVSS score or evidence of active exploitation.
Executive priority
Prioritize remediation for externally reachable Liferay portals or environments with many content authors. The business risk is session theft, user impersonation, or portal content manipulation through XSS, but available evidence does not support emergency exploitation claims.
Technical view
CVE-2022-26594 covers multiple XSS issues in Liferay Portal 7.3.5 through 7.4.0 and Liferay DXP 7.3 before service pack 3. The injection point is a form field's help text in the Forms module form builder and App Builder object form view form builder.
Likely exposure
Exposure is most likely where affected Liferay versions are deployed and users can create or edit form field help text. The sources do not specify required privileges, internet exposure, or tenant scope.
Exploitation context
The bundled sources describe remote XSS but do not cite public exploitation, weaponized exploit activity, or CISA KEV listing. Treat this as a credible web application risk, especially for portals with broad authoring access.
Researcher notes
The public bundle lacks CVSS, CWE, exploit maturity, and detailed privilege requirements. Analysis should stay anchored to the Liferay advisory and CVE description. Avoid assuming unauthenticated exploitability unless vendor guidance confirms it.
Mitigation direction
Apply the relevant Liferay security fix or supported update path.
For Liferay DXP 7.3, update to service pack 3 or later.
Review Liferay’s advisory for product-specific fixed versions.
Restrict form builder and App Builder editing rights to trusted users.
Audit existing form field help text for unexpected HTML or script content.
Validation and detection
Inventory Liferay Portal and DXP versions across environments.
Confirm whether Forms and App Builder modules are enabled.
Review who can edit form field help text.
Check existing help text content for suspicious markup.
Verify patched environments no longer render unsafe help text.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-26594 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 15, 2022, 15:50 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.