Volerion logoVolerion
Volerion logoVolerion

LimeSurvey Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in LimeSurvey versions prior to 6.15.11+250909. The issue arises from inadequate validation of the 'gid' parameter in the 'getInstance()' function within 'application/models/QuestionCreate.php'. This vulnerability allows an attacker to create a malicious URL that can compromise the logged-in user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the LimeSurvey admin portal and create a survey to obtain its ID. Then, navigate to '/index.php/questionAdministration/create' and include the 'gid' parameter with a crafted script payload, along with the 'surveyid' parameter set to the ID of the created survey. Upon loading the page, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to LimeSurvey version 6.15.12+250916 or later.

Added: Apr 9, 2026, 7:47 PM
Updated: Apr 9, 2026, 7:47 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
7.7
remediation
7.7
relevance
5.5
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.