Limesurvey: >> Limesurvey >> 1.85 Security Vulnerabilities
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-04-09
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-10
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
CVSS Score
9.8
EPSS Score
0.002
Published
2026-03-10
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-01-28
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
CVSS Score
6.1
EPSS Score
0.011
Published
2024-10-07
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
CVSS Score
6.1
EPSS Score
0.006
Published
2024-10-07
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
CVSS Score
4.8
EPSS Score
0.002
Published
2024-09-03
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-03
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-09-03
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-07-09
Page 1