External User Affects LimeSurvey through Malformed Session Cookie
CVE-2025-41076

6.9MEDIUM

Key Information:

Vendor

Limesurvey

Status
Limesurvey
Vendor
CVE Published:
20 November 2025

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2025-41076?

In LimeSurvey version 6.13.0, a vulnerability exists that allows external users to trigger a 500 error in the survey system by sending a malformed session cookie. Instead of a generic error response, the system reveals internal backend information including details related to the Yii framework, MySQL/MariaDB database engine, and specific database table structures. This leakage of sensitive information can aid attackers in understanding the system's architecture and potentially exploiting other weaknesses.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

LimeSurvey 6.13.0

News Articles

favicon imagewiz.io

CVE-2025-41076 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-41076 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐Ÿ“ฐ

    First article discovered by wiz.io

  • Vulnerability published

  • Vulnerability Reserved

Credit

Julen Garrido Estevez
JSON
.