CVE-2025-41375

SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*

History

30 Jan 2026, 21:45

Type	Values Removed	Values Added
First Time		Limesurvey Limesurvey limesurvey
CPE		cpe:2.3:a:limesurvey:limesurvey::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey - Third Party Advisory

11 Sep 2025, 09:15

Type	Values Removed	Values Added
Summary	(en) A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultaincimails.php.	(en) SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.
References	~~{'url': 'https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-gandia-integra-total-tesi', 'source': 'cve-coordination@incibe.es'}~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey -

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad de inyección SQL en Gandia Integra Total of TESI, desde la versión 2.1.2217.3 hasta la v4.4.2236.1. Esta vulnerabilidad permite a un atacante autenticado recuperar, crear, actualizar y eliminar bases de datos mediante el parámetro 'idestudio' en /encuestas/integraweb[_v4]/integra/html/view/consultaincimails.php.

01 Aug 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 13:15

Updated : 2026-01-30 21:45

NVD link : CVE-2025-41375

Mitre link : CVE-2025-41375

CVE.ORG link : CVE-2025-41375

JSON object : View

Products Affected

limesurvey

limesurvey

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.8 /10