CVE-2026-50636
- EPSS 0.36%
- Veröffentlicht 09.06.2026 18:17:10
- Zuletzt bearbeitet 09.06.2026 19:36:10
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or in...
CVE-2026-50635
- EPSS 0.37%
- Veröffentlicht 09.06.2026 18:17:10
- Zuletzt bearbeitet 09.06.2026 19:36:10
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpReq...
CVE-2025-70797
- EPSS 0.28%
- Veröffentlicht 09.04.2026 18:16:42
- Zuletzt bearbeitet 16.04.2026 19:01:01
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
CVE-2025-63238
- EPSS 0.23%
- Veröffentlicht 09.04.2026 18:16:42
- Zuletzt bearbeitet 16.04.2026 19:02:22
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a maliciou...
CVE-2025-56422
- EPSS 0.85%
- Veröffentlicht 10.03.2026 00:00:00
- Zuletzt bearbeitet 05.07.2026 02:17:00
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
CVE-2025-56421
- EPSS 0.47%
- Veröffentlicht 10.03.2026 00:00:00
- Zuletzt bearbeitet 05.07.2026 02:17:00
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
CVE-2020-36993
- EPSS 0.25%
- Veröffentlicht 28.01.2026 12:29:03
- Zuletzt bearbeitet 02.02.2026 16:16:14
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to exec...
CVE-2025-41076
- EPSS 0.24%
- Veröffentlicht 20.11.2025 12:52:25
- Zuletzt bearbeitet 21.11.2025 19:54:57
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of ...
CVE-2025-41075
- EPSS 0.28%
- Veröffentlicht 20.11.2025 12:49:29
- Zuletzt bearbeitet 21.11.2025 19:59:05
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The syst...
CVE-2025-41074
- EPSS 0.28%
- Veröffentlicht 20.11.2025 12:47:05
- Zuletzt bearbeitet 21.11.2025 20:00:55
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The sy...