LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting | Advisories

Advisories

LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting

severity: medium
date: January 28, 2026
Affecting: LimeSurvey <= 4.3.10
CVE: CVE-2020-36993
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-48762
LimeSurvey Official Website
LimeSurvey Patch Commit
Credit: Matthew Aberegg
Description: LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.