Reflected Cross-Site Scripting Vulnerability in LimeSurvey by LimeSurvey
CVE-2025-63238

6.1MEDIUM

Key Information:

Vendor: LimeSurvey
Status: LimeSurvey
Vendor: CVE Published:; 9 April 2026

What is CVE-2025-63238?

A reflected cross-site scripting vulnerability has been identified in LimeSurvey, affecting versions prior to 6.15.11+250909. This vulnerability arises from insufficient validation of the 'gid' parameter in the getInstance() function within the application/models/QuestionCreate.php file. Attackers can exploit this weakness by crafting malicious URLs that, when accessed by a logged-in user, can execute arbitrary script code within their browser session, potentially leading to session hijacking and unauthorized actions.

References

https://github.com/LimeSurvey/LimeSurvey/commit/80769a677...

https://gist.github.com/masquerad3r/f913ab479e8de2ad71987...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Oct 27, 2025

CVE-2025-63238 Data

JSON