Limesurvey
by Limesurvey
Source repositories
CVEs (80)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34120 | Hig | 0.65 | — | 0.01 | Jul 16, 2025 | An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify… | ||
| CVE-2018-7556 | Cri | 0.59 | 9.1 | 0.02 | Feb 28, 2018 | LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file. | ||
| CVE-2026-50636 | Hig | 0.50 | 8.8 | 0.00 | Jun 9, 2026 | The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,… | ||
| CVE-2026-50635 | Hig | 0.50 | 8.8 | 0.00 | Jun 9, 2026 | LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()… | ||
| CVE-2018-17003 | Med | 0.40 | 6.1 | 0.01 | Sep 21, 2018 | In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert. | ||
| CVE-2024-6933 | Med | 0.34 | 6.3 | 0.01 | Jul 21, 2024 | A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.… | ||
| CVE-2025-70797 | Med | 0.33 | 6.1 | 0.00 | Apr 9, 2026 | Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | ||
| CVE-2025-63238 | Med | 0.33 | 6.1 | 0.00 | Apr 9, 2026 | A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the… | ||
| CVE-2018-16397 | Med | 0.32 | 4.9 | 0.01 | Sep 3, 2018 | In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file, | ||
| CVE-2018-1000513 | Med | 0.31 | 4.8 | 0.01 | Jun 26, 2018 | LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x. | ||
| CVE-2018-1000514 | Med | 0.28 | 4.3 | 0.00 | Jun 26, 2018 | LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x. | ||
| CVE-2020-11455 | 0.11 | — | 0.97 | Apr 1, 2020 | LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | |||
| CVE-2020-11456 | 0.09 | — | 0.71 | Apr 1, 2020 | LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). | |||
| CVE-2007-3632 | 0.08 | — | 0.62 | Jul 10, 2007 | Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php… | |||
| CVE-2021-44967 | 0.06 | — | 0.13 | Feb 22, 2022 | A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP… | |||
| CVE-2019-9960 | 0.04 | — | 0.13 | Mar 24, 2019 | The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path. | |||
| CVE-2012-4927 | 0.03 | — | 0.02 | Sep 15, 2012 | SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php. | |||
| CVE-2007-5573 | 0.03 | — | 0.03 | Oct 18, 2007 | PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter. | |||
| CVE-2025-56422 | 0.00 | — | 0.01 | Mar 10, 2026 | A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server. | |||
| CVE-2025-56421 | 0.00 | — | 0.00 | Mar 10, 2026 | SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database. |
- risk 0.65cvss —epss 0.01
An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify…
- risk 0.59cvss 9.1epss 0.02
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.
- risk 0.50cvss 8.8epss 0.00
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,…
- risk 0.50cvss 8.8epss 0.00
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()…
- risk 0.40cvss 6.1epss 0.01
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.
- risk 0.34cvss 6.3epss 0.01
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.…
- risk 0.33cvss 6.1epss 0.00
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.
- risk 0.33cvss 6.1epss 0.00
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the…
- risk 0.32cvss 4.9epss 0.01
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,
- risk 0.31cvss 4.8epss 0.01
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.
- risk 0.28cvss 4.3epss 0.00
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.
- CVE-2020-11455Apr 1, 2020risk 0.11cvss —epss 0.97
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.
- CVE-2020-11456Apr 1, 2020risk 0.09cvss —epss 0.71
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).
- CVE-2007-3632Jul 10, 2007risk 0.08cvss —epss 0.62
Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php…
- CVE-2021-44967Feb 22, 2022risk 0.06cvss —epss 0.13
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP…
- CVE-2019-9960Mar 24, 2019risk 0.04cvss —epss 0.13
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
- CVE-2012-4927Sep 15, 2012risk 0.03cvss —epss 0.02
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.
- CVE-2007-5573Oct 18, 2007risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.
- CVE-2025-56422Mar 10, 2026risk 0.00cvss —epss 0.01
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
- CVE-2025-56421Mar 10, 2026risk 0.00cvss —epss 0.00
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
Page 1 of 4