CVE-2025-41076
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-41076, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-20

Last updated on: 2025-11-21

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-20
Last Modified
2025-11-21
Generated
2026-07-06
AI Q&A
2025-11-20
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
limesurvey limesurvey 6.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

In LimeSurvey version 6.13.0, an external user can trigger a server error (500 error) by sending a malformed session cookie. Instead of showing a generic error message, the system reveals internal backend details such as the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and parts of the conflicting content. This exposure can help an attacker learn about the internal architecture of the application.

Impact Analysis

This vulnerability can impact you by exposing sensitive internal information about the LimeSurvey system's backend when a malformed session cookie is sent. Attackers can use this information to better understand the system's architecture, which may facilitate further attacks or exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart