Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Mar 5, 2026

LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting

CVE-2020-36993

Description

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.

Affected products

Limesurvey/LimesurveyOSV
Range: 1.45a, 1.45a_2007-02-24, 1.50_2007-08-06, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/LimeSurvey/LimeSurvey/commit/3712854a8fd8d875c67640969a1d54c4d93d3676mitreissue-trackingpatch
www.exploit-db.com/exploits/48762mitreexploit
www.vulncheck.com/advisories/limesurvey-survey-menu-persistent-cross-site-scriptingmitrethird-party-advisory
www.limesurvey.orgmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000