Limesurvey: community verdicts
4 notable / known-exploited Limesurvey CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Limesurvey CVE, see NVD ↗.
- CVE-2025-56422CRIT 9.8Real · low riskEPSS 1%
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server.
- CVE-2024-28710MED 6.1EPSS 1%
Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.
- CVE-2024-28709MED 6.1EPSS 1%
Cross Site Scripting vulnerability in LimeSurvey before 6.5.12+240611 allows a remote attacker to execute arbitrary code via a crafted script to the title and comment fields.
- CVE-2025-56421HIGH 7.5Real · low riskEPSS 0%
SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database.