threat
engine
.sh
Back
·
··:··
Home
/
Product
/
limesurvey
Product
limesurvey
82 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-70797
all versions
Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[t
6.1
MEDIUM
CVE-2025-63238
< 6.15.12
A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid p
6.1
MEDIUM
CVE-2025-56422
<= 6.14.3
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the serv
9.8
CRITICAL
CVE-2025-56421
<= 6.15.3
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the
7.5
HIGH
CVE-2020-36993
<= 4.3.10
LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration pane
5.4
MEDIUM
CVE-2025-41076
all versions
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cooki
6.5
MEDIUM
CVE-2025-41075
all versions
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavi
7.5
HIGH
CVE-2025-41074
all versions
Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behav
7.5
HIGH
CVE-2025-41376
>= 2.65.1 and < 3.0.0
CRLF Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability could allow a remote attacker to inject arbitrary
5.3
MEDIUM
CVE-2025-41375
>= 2.65.1 and < 3.0.0
SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and de
9.8
CRITICAL
CVE-2024-28710
< 6.5.0\+240319
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack
6.1
MEDIUM
CVE-2024-28709
< 6.5.12\+240611
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a cra
6.1
MEDIUM
CVE-2024-42903
<= 6.6.1\+240806
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to s
6.5
MEDIUM
CVE-2024-42902
<= 6.6.2
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting
8.8
HIGH
CVE-2024-42901
<= 6.5.12
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
4.8
MEDIUM
CVE-2024-7887
all versions
A vulnerability was found in LimeSurvey 6.3.0-231016 and classified as problematic. Affected by this issue is some unknown functio
2.7
LOW
CVE-2024-6933
>= 6.5.14 and < 6.6.2
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralS
6.3
MEDIUM
CVE-2024-39063
<= 6.5.12
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the bo
8.8
HIGH
CVE-2024-24506
all versions
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to exec
6.1
MEDIUM
CVE-2023-44796
< 6.2.9
Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges
5.4
MEDIUM
CVE-2022-48010
all versions
LimeSurvey v5.4.15 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /index.php/surveyA
5.4
MEDIUM
CVE-2022-48008
all versions
An arbitrary file upload vulnerability in the plugin manager of LimeSurvey v5.4.15 allows attackers to execute arbitrary code via
9.8
CRITICAL
CVE-2022-43279
all versions
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions
7.2
HIGH
CVE-2022-29710
<= 5.3.9
A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitra
6.1
MEDIUM
CVE-2021-44967
all versions
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let
8.8
HIGH
CVE-2018-10228
all versions
Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attac
6.1
MEDIUM
CVE-2021-42112
>= 3.0.0 and <= 3.27.18
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and ass
6.1
MEDIUM
CVE-2020-22607
all versions
Cross Site Scripting vulnerabilty in LimeSurvey 4.1.11+200316 via the (1) name and (2) description parameters in application/contr
6.1
MEDIUM
CVE-2020-23710
all versions
Cross Site Scripting (XSS) vulneraiblity in LimeSurvey 4.2.5 on textbox via the Notifications & data feature.
5.4
MEDIUM
CVE-2019-25019
< 3.19.0
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
9.8
CRITICAL
CVE-2020-25799
all versions
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Quota component of the Survey page. When the survey quota being
5.4
MEDIUM
CVE-2020-25797
all versions
LimeSurvey 3.21.1 is affected by cross-site scripting (XSS) in the Add Participants Function (First and last name parameters). Whe
5.4
MEDIUM
CVE-2020-25798
<= 3.21.1
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correc
5.4
MEDIUM
CVE-2020-16192
all versions
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
6.1
MEDIUM
CVE-2020-11456
<= 4.1.11
LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/
5.4
MEDIUM
CVE-2020-11455
<= 4.1.11
LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php
9.8
CRITICAL
CVE-2019-14512
all versions
LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/PanelBoxWidget/views/box.php or a label title in application/
6.1
MEDIUM
CVE-2019-17660
<= 3.19.1
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows rem
6.1
MEDIUM
CVE-2019-16187
< 3.17.14
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via
7.5
HIGH
CVE-2019-16186
< 3.17.14
In Limesurvey before 3.17.14, admin users can access the plugin manager without proper permissions.
7.2
HIGH
CVE-2019-16185
< 3.17.14
In Limesurvey before 3.17.14, admin users can view, update, or delete reserved menu entries without proper permissions.
7.2
HIGH
CVE-2019-16184
< 3.17.14
A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their
9.8
CRITICAL
CVE-2019-16183
< 3.17.14
In Limesurvey before 3.17.14, admin users can run an integrity check without proper permissions.
2.7
LOW
CVE-2019-16182
< 3.17.14
A reflected cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to inject
6.1
MEDIUM
CVE-2019-16181
< 3.17.14
In Limesurvey before 3.17.14, admin users can mark other users' notifications as read.
2.7
LOW
CVE-2019-16180
< 3.17.14
Limesurvey before 3.17.14 allows remote attackers to bruteforce the login form and enumerate usernames when the LDAP authenticatio
5.3
MEDIUM
CVE-2019-16179
< 3.17.14
Limesurvey before 3.17.14 does not enforce SSL/TLS usage in the default configuration.
5.3
MEDIUM
CVE-2019-16178
< 3.17.14
A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with corr
5.4
MEDIUM
CVE-2019-16177
< 3.17.14
In Limesurvey before 3.17.14, the entire database is exposed through browser caching.
7.5
HIGH
CVE-2019-16176
< 3.17.14
A path disclosure vulnerability was found in Limesurvey before 3.17.14 that allows a remote attacker to discover the path to the a
5.3
MEDIUM
CVE-2019-16175
< 3.17.14
A clickjacking vulnerability was found in Limesurvey before 3.17.14.
4.3
MEDIUM
CVE-2019-16174
< 3.17.14
An XML injection vulnerability was found in Limesurvey before 3.17.14 that allows remote attackers to import specially crafted XML
8.8
HIGH
CVE-2019-16173
< 3.17.4
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmi
5.4
MEDIUM
CVE-2019-16172
< 3.17.4
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin.
5.4
MEDIUM
CVE-2019-15640
< 3.17.10
Limesurvey before 3.17.10 does not validate both the MIME type and file extension of an image.
7.5
HIGH
CVE-2019-9960
<= 3.16.1\+190225
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
9.8
CRITICAL
CVE-2017-18358
< 2.72.4
LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (aka Resume later) feature to enter an email address, which is
6.1
MEDIUM
CVE-2018-20322
<= 3.15.5
LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascri
6.1
MEDIUM
CVE-2018-17003
all versions
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /inde
6.1
MEDIUM
CVE-2018-17057
< 3.16.0
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
9.8
CRITICAL
CVE-2018-1000659
<= 3.14.4
LimeSurvey version 3.14.4 and earlier contains a directory traversal in file upload that allows upload of webshell vulnerability i
8.8
HIGH
CVE-2018-1000658
< 3.14.4
LimeSurvey version prior to 3.14.4 contains a file upload vulnerability in upload functionality that can result in an attacker gai
8.8
HIGH
CVE-2018-16397
< 3.14.7
In LimeSurvey before 3.14.7, an admin user can leverage a "file upload" question to read an arbitrary file,
4.9
MEDIUM
CVE-2018-1000514
all versions
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Boxes that can result in CSRF a
4.3
MEDIUM
CVE-2018-1000513
all versions
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting (XSS) vulnerability in Boxes that can result in JS code exec
4.8
MEDIUM
CVE-2018-7556
>= 2.6.0 and < 2.6.7
LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before 3.4.2 mishandles application/controller/InstallerController.ph
9.1
CRITICAL
CVE-2018-1000053
all versions
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can r
8.8
HIGH
CVE-2015-5078
all versions
SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remot
CVE-2015-4628
<= 2.06\+
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows rem
CVE-2014-5018
all versions
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote
CVE-2014-5017
all versions
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allow
CVE-2014-5016
all versions
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary we
CVE-2011-5256
<= 1.91\+
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey resu
CVE-2012-4995
<= 1.91\+
Cross-site scripting (XSS) vulnerability in admin/userrighthandling.php in LimeSurvey before 1.91+ Build 120224 allows remote atta
CVE-2012-4994
<= 1.91\+
SQL injection vulnerability in admin/admin.php in LimeSurvey before 1.91+ Build 120224 allows remote authenticated users to execut
CVE-2012-4927
all versions
SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to exe
CVE-2011-3752
all versions
LimeSurvey 1.90+ build9642-20101214 allows remote attackers to obtain sensitive information via a direct request to a .php file, w
CVE-2009-1604
all versions
Unspecified vulnerability in LimeSurvey before 1.82 allows remote attackers to execute commands and obtain sensitive data via unkn
CVE-2008-2571
<= 1.70
Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change
CVE-2008-2570
<= 1.70
Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors.
CVE-2007-5573
<= 1.5.2
PHP remote file inclusion vulnerability in classes/core/language.php in LimeSurvey 1.5.2 and earlier allows remote attackers to ex
CVE-2007-3632
all versions
Multiple PHP remote file inclusion vulnerabilities in LimeSurvey (aka PHPSurveyor) 1.49RC2 allow remote attackers to execute arbit
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin