VYPR

Limesurvey

by Limesurvey

Source repositories

CVEs (80)

  • CVE-2020-36993Jan 28, 2026
    risk 0.00cvss epss 0.00

    LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in…

  • CVE-2025-41076Nov 20, 2025
    risk 0.00cvss epss 0.00

    In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the…

  • CVE-2025-41075Nov 20, 2025
    risk 0.00cvss epss 0.00

    Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…

  • CVE-2025-41074Nov 20, 2025
    risk 0.00cvss epss 0.00

    Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…

  • CVE-2025-41376Aug 1, 2025
    risk 0.00cvss epss 0.00

    CRLF Injection vulnerability in Limesurvey v2.65.1+170522.  This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'.

  • CVE-2025-41375Aug 1, 2025
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.

  • CVE-2024-28709Oct 7, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.

  • CVE-2024-28710Oct 7, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

  • CVE-2024-42902Sep 3, 2024
    risk 0.00cvss epss 0.01

    An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function

  • CVE-2024-42901Sep 3, 2024
    risk 0.00cvss epss 0.00

    A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.

  • CVE-2024-42903Sep 3, 2024
    risk 0.00cvss epss 0.00

    A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.

  • CVE-2024-7887Aug 17, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be…

  • CVE-2024-39063Jul 9, 2024
    risk 0.00cvss epss 0.00

    Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.

  • CVE-2023-44796Nov 17, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.

  • CVE-2022-48010Jan 27, 2023
    risk 0.00cvss epss 0.00

    LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…

  • CVE-2022-48008Jan 27, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.

  • CVE-2022-43279Nov 15, 2022
    risk 0.00cvss epss 0.01

    LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.

  • CVE-2022-29710May 24, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

  • CVE-2018-10228Dec 14, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.

  • CVE-2020-22607Jun 28, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php.