LimeSurvey is vulnerable to SQL injection
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.
Advisories for Composer/Limesurvey/Limesurvey package
2026
2024
LimeSurvey Cross Site Scripting vulnerability
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
LimeSurvey Cross Site Scripting vulnerability
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
2022
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
LimeSurvey before v3.17.14 allows reflected XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. This occurs in application/core/Survey_Common_Action.php,
2021
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The "File upload question" functionality in LimeSurvey 3.x-LTS through 3.27.18 allows XSS in assets/scripts/modaldialog.js and assets/scripts/uploader.js.