VYPR

Vendor CVEs

Limesurvey

All CVEs

80 total · sorted by risk
  • CVE-2025-34120HigJul 16, 2025
    risk 0.65cvss epss 0.01

    An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify…

  • CVE-2018-7556CriFeb 28, 2018
    risk 0.59cvss 9.1epss 0.02

    LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.php after installation, which allows remote attackers to access the configuration file.

  • CVE-2026-50636HigJun 9, 2026
    risk 0.50cvss 8.8epss 0.00

    The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote,…

  • CVE-2026-50635HigJun 9, 2026
    risk 0.50cvss 8.8epss 0.00

    LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost()…

  • CVE-2018-17003MedSep 21, 2018
    risk 0.40cvss 6.1epss 0.01

    In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.

  • CVE-2024-6933MedJul 21, 2024
    risk 0.34cvss 6.3epss 0.01

    A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler.…

  • CVE-2025-70797MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.

  • CVE-2025-63238MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the…

  • CVE-2018-16397MedSep 3, 2018
    risk 0.32cvss 4.9epss 0.01

    In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,

  • CVE-2018-1000513MedJun 26, 2018
    risk 0.31cvss 4.8epss 0.01

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x.

  • CVE-2018-1000514MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.00

    LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF admins to delete boxes. This vulnerability appears to have been fixed in 3.6.x.

  • CVE-2020-11455Apr 1, 2020
    risk 0.11cvss epss 0.97

    LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php.

  • CVE-2020-11456Apr 1, 2020
    risk 0.09cvss epss 0.71

    LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups).

  • CVE-2007-3632Jul 10, 2007
    risk 0.08cvss epss 0.62

    Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbitrary PHP code via a URL in the homedir parameter to (1) OLE/PPS/File.php, (2) OLE/PPS/Root.php, (3) Spreadsheet/Excel/Writer.php, or (4) OLE/PPS.php…

  • CVE-2021-44967Feb 22, 2022
    risk 0.06cvss epss 0.13

    A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP…

  • CVE-2019-9960Mar 24, 2019
    risk 0.04cvss epss 0.13

    The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

  • CVE-2012-4927Sep 15, 2012
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.

  • CVE-2007-5573Oct 18, 2007
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.

  • CVE-2025-56422Mar 10, 2026
    risk 0.00cvss epss 0.01

    A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.

  • CVE-2025-56421Mar 10, 2026
    risk 0.00cvss epss 0.00

    SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.

  • CVE-2020-36993Jan 28, 2026
    risk 0.00cvss epss 0.00

    LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in…

  • CVE-2025-41076Nov 20, 2025
    risk 0.00cvss epss 0.00

    In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the…

  • CVE-2025-41075Nov 20, 2025
    risk 0.00cvss epss 0.00

    Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…

  • CVE-2025-41074Nov 20, 2025
    risk 0.00cvss epss 0.00

    Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the…

  • CVE-2025-41376Aug 1, 2025
    risk 0.00cvss epss 0.00

    CRLF Injection vulnerability in Limesurvey v2.65.1+170522.  This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via '/index.php/survey/index/sid//token/fwyfw%0d%0aCookie:%20POC'.

  • CVE-2025-41375Aug 1, 2025
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.

  • CVE-2024-28709Oct 7, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.

  • CVE-2024-28710Oct 7, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

  • CVE-2024-42902Sep 3, 2024
    risk 0.00cvss epss 0.01

    An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function

  • CVE-2024-42901Sep 3, 2024
    risk 0.00cvss epss 0.00

    A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.

  • CVE-2024-42903Sep 3, 2024
    risk 0.00cvss epss 0.00

    A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.

  • CVE-2024-7887Aug 17, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php of the component File Upload. The manipulation of the argument size leads to denial of service. The attack may be…

  • CVE-2024-39063Jul 9, 2024
    risk 0.00cvss epss 0.00

    Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.

  • CVE-2023-44796Nov 17, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.

  • CVE-2022-48010Jan 27, 2023
    risk 0.00cvss epss 0.00

    LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyAdministration/rendersidemenulink?subaction=surveytexts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…

  • CVE-2022-48008Jan 27, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via a crafted PHP file.

  • CVE-2022-43279Nov 15, 2022
    risk 0.00cvss epss 0.01

    LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.

  • CVE-2022-29710May 24, 2022
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

  • CVE-2018-10228Dec 14, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.

  • CVE-2020-22607Jun 28, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/controllers/admin/PermissiontemplatesController.php.

  • CVE-2020-23710Jun 28, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature.

  • CVE-2019-25019Feb 14, 2021
    risk 0.00cvss epss 0.01

    LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.

  • CVE-2020-25799Dec 31, 2020
    risk 0.00cvss epss 0.01

    LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.

  • CVE-2020-25797Dec 31, 2020
    risk 0.00cvss epss 0.01

    LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). When the survey participant being edited, e.g. by an administrative user, the JavaScript code will be executed in the browser.

  • CVE-2020-25798Nov 17, 2020
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant…

  • CVE-2020-16192Aug 5, 2020
    risk 0.00cvss epss 0.01

    LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.

  • CVE-2019-14512Mar 16, 2020
    risk 0.00cvss epss 0.01

    LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/views/admin/labels/labelview_view.php.

  • CVE-2019-17660Oct 16, 2019
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/3368…

  • CVE-2019-16174Sep 9, 2019
    risk 0.00cvss epss 0.02

    An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML files and execute code or compromise data integrity.

  • CVE-2019-16175Sep 9, 2019
    risk 0.00cvss epss 0.01

    A clickjacking vulnerability was found in Limesurvey before 3.17.14.

Page 1 of 2