Stored Cross-Site Scripting Vulnerability in LimeSurvey Administration Panel
CVE-2020-36993

5.1MEDIUM

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 28 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-36993?

LimeSurvey version 4.3.10 is susceptible to a stored cross-site scripting vulnerability found in the Survey Menu of the administration panel. This issue allows attackers to inject malicious SVG scripts by manipulating the Surveymenu[title] and Surveymenu[parent_id] parameters. If successful, this could lead to the execution of arbitrary JavaScript within an administrative context, posing a significant risk to the integrity and security of the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

LimeSurvey 0 <= 4.3.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-36993 - Proof of Concept

References

https://www.exploit-db.com/exploits/48762

exploit

https://www.limesurvey.org

product

https://github.com/LimeSurvey/LimeSurvey/commit/3712854a8...

issue-trackingpatch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

🟡
Public PoC available
Jan 28, 2026
👾
Exploit known to exist
Jan 28, 2026
Vulnerability published
Jan 28, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Matthew Aberegg

JSON

Limesurvey