Limesurvey
by Limesurvey
Source repositories
CVEs (80)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36993 | 0.00 | — | 0.00 | Jan 28, 2026 | LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in… | |||
| CVE-2025-41076 | 0.00 | — | 0.00 | Nov 20, 2025 | In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the… | |||
| CVE-2025-41075 | 0.00 | — | 0.00 | Nov 20, 2025 | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the… | |||
| CVE-2025-41074 | 0.00 | — | 0.00 | Nov 20, 2025 | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the… | |||
| CVE-2025-41376 | 0.00 | — | 0.00 | Aug 1, 2025 | CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'. | |||
| CVE-2025-41375 | 0.00 | — | 0.01 | Aug 1, 2025 | SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint. | |||
| CVE-2024-28709 | 0.00 | — | 0.01 | Oct 7, 2024 | Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields. | |||
| CVE-2024-28710 | 0.00 | — | 0.01 | Oct 7, 2024 | Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component. | |||
| CVE-2024-42902 | 0.00 | — | 0.01 | Sep 3, 2024 | An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function | |||
| CVE-2024-42901 | 0.00 | — | 0.00 | Sep 3, 2024 | A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file. | |||
| CVE-2024-42903 | 0.00 | — | 0.00 | Sep 3, 2024 | A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain. | |||
| CVE-2024-7887 | 0.00 | — | 0.01 | Aug 17, 2024 | A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be… | |||
| CVE-2024-39063 | 0.00 | — | 0.00 | Jul 9, 2024 | Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests. | |||
| CVE-2023-44796 | 0.00 | — | 0.01 | Nov 17, 2023 | Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. | |||
| CVE-2022-48010 | 0.00 | — | 0.00 | Jan 27, 2023 | LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted… | |||
| CVE-2022-48008 | 0.00 | — | 0.01 | Jan 27, 2023 | An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file. | |||
| CVE-2022-43279 | 0.00 | — | 0.01 | Nov 15, 2022 | LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. | |||
| CVE-2022-29710 | 0.00 | — | 0.01 | May 24, 2022 | A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin. | |||
| CVE-2018-10228 | 0.00 | — | 0.01 | Dec 14, 2021 | Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI. | |||
| CVE-2020-22607 | 0.00 | — | 0.01 | Jun 28, 2021 | Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php. |
- CVE-2020-36993Jan 28, 2026risk 0.00cvss —epss 0.00
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in…
- CVE-2025-41076Nov 20, 2025risk 0.00cvss —epss 0.00
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the…
- CVE-2025-41075Nov 20, 2025risk 0.00cvss —epss 0.00
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…
- CVE-2025-41074Nov 20, 2025risk 0.00cvss —epss 0.00
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…
- CVE-2025-41376Aug 1, 2025risk 0.00cvss —epss 0.00
CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'.
- CVE-2025-41375Aug 1, 2025risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.
- CVE-2024-28709Oct 7, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
- CVE-2024-28710Oct 7, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
- CVE-2024-42902Sep 3, 2024risk 0.00cvss —epss 0.01
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
- CVE-2024-42901Sep 3, 2024risk 0.00cvss —epss 0.00
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
- CVE-2024-42903Sep 3, 2024risk 0.00cvss —epss 0.00
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
- CVE-2024-7887Aug 17, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be…
- CVE-2024-39063Jul 9, 2024risk 0.00cvss —epss 0.00
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
- CVE-2023-44796Nov 17, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.
- CVE-2022-48010Jan 27, 2023risk 0.00cvss —epss 0.00
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…
- CVE-2022-48008Jan 27, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.
- CVE-2022-43279Nov 15, 2022risk 0.00cvss —epss 0.01
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.
- CVE-2022-29710May 24, 2022risk 0.00cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.
- CVE-2018-10228Dec 14, 2021risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.
- CVE-2020-22607Jun 28, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php.
Page 2 of 4