Shodan
Vulnerabilities
Vulnerable Software
Limesurvey:  >> Limesurvey  >> 6.13.0  Security Vulnerabilities
CVE-2025-63238
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-04-09
CVE-2025-56421
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-10
CVE-2025-56422
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
CVSS Score
9.8
EPSS Score
0.002
Published
2026-03-10
CVE-2025-41074
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.
CVSS Score
6.9
EPSS Score
0.0
Published
2025-11-20
CVE-2025-41075
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.
CVSS Score
6.9
EPSS Score
0.0
Published
2025-11-20
CVE-2025-41076
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.
CVSS Score
6.9
EPSS Score
0.0
Published
2025-11-20
CVE-2012-4927
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php.
CVSS Score
7.5
EPSS Score
0.034
Published
2012-09-15


Products
Pricing
Contact Us

Shodan ® - All rights reserved