CVE-2025-41076

Published: Nov 20, 2025

Modified: Nov 20, 2025

PUBLISHED

Description

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

Vendor	Product	Versions
LimeSurvey	LimeSurvey	affected `6.13.0`

Weaknesses (CWE)

CWE-209

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-41076

Description

Affected Products

Weaknesses (CWE)

References