VYPR

Limesurvey

by Limesurvey

Source repositories

CVEs (80)

  • CVE-2025-34120HigJul 16, 2025
    risk 0.65cvss epss 0.01

    An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify…

  • CVE-2018-7556CriFeb 28, 2018
    risk 0.59cvss 9.1epss 0.02

    LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.

  • CVE-2026-50636HigJun 9, 2026
    risk 0.50cvss 8.8epss 0.00

    The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,…

  • CVE-2026-50635HigJun 9, 2026
    risk 0.50cvss 8.8epss 0.00

    LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()…

  • CVE-2018-17003MedSep 21, 2018
    risk 0.40cvss 6.1epss 0.01

    In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.

  • CVE-2024-6933MedJul 21, 2024
    risk 0.34cvss 6.3epss 0.01

    A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.…

  • CVE-2025-70797MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

  • CVE-2025-63238MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the…

  • CVE-2018-16397MedSep 3, 2018
    risk 0.32cvss 4.9epss 0.01

    In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

  • CVE-2018-1000513MedJun 26, 2018
    risk 0.31cvss 4.8epss 0.01

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.

  • CVE-2018-1000514MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.00

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.

  • CVE-2020-11455Apr 1, 2020
    risk 0.11cvss epss 0.97

    LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.

  • CVE-2020-11456Apr 1, 2020
    risk 0.09cvss epss 0.71

    LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).

  • CVE-2007-3632Jul 10, 2007
    risk 0.08cvss epss 0.62

    Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php…

  • CVE-2021-44967Feb 22, 2022
    risk 0.06cvss epss 0.13

    A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP…

  • CVE-2019-9960Mar 24, 2019
    risk 0.04cvss epss 0.13

    The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

  • CVE-2012-4927Sep 15, 2012
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.

  • CVE-2007-5573Oct 18, 2007
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.

  • CVE-2025-56422Mar 10, 2026
    risk 0.00cvss epss 0.01

    A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.

  • CVE-2025-56421Mar 10, 2026
    risk 0.00cvss epss 0.00

    SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.

Page 1 of 4