Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-1247

4.4 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 5 hours ago

Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

References

Affected products

Survey

=<1.1

Matching in nixpkgs

pkgs.limesurvey

Open source survey application

nixos-unstable 6.15.14+250924
- nixpkgs-unstable 6.15.14+250924
- nixos-unstable-small 6.15.14+250924
nixos-25.11 6.15.14+250924
- nixos-25.11-small 6.15.14+250924
- nixpkgs-25.11-darwin 6.15.14+250924

pkgs.python312Packages.survey

Simple library for creating beautiful interactive prompts

nixos-25.11 5.4.2
- nixos-25.11-small 5.4.2
- nixpkgs-25.11-darwin 5.4.2

pkgs.python313Packages.survey

Simple library for creating beautiful interactive prompts

nixos-unstable 5.4.2
- nixpkgs-unstable 5.4.2
- nixos-unstable-small 5.4.2
nixos-25.11 5.4.2
- nixos-25.11-small 5.4.2
- nixpkgs-25.11-darwin 5.4.2

pkgs.python314Packages.survey

Simple library for creating beautiful interactive prompts

nixos-unstable 5.4.2
- nixpkgs-unstable 5.4.2
- nixos-unstable-small 5.4.2

pkgs.haskellPackages.gogol-surveys

Google Surveys SDK

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.libsForQt5.kde-inotify-survey

Tooling for monitoring inotify limits and informing the user when they have been or about to be reached

pkgs.kdePackages.kde-inotify-survey

Tooling for monitoring inotify limits and informing the user when they have been or about to be reached.

nixos-unstable 25.12.3
- nixpkgs-unstable 25.12.3
- nixos-unstable-small 25.12.3
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3

pkgs.plasma5Packages.kde-inotify-survey

Tooling for monitoring inotify limits and informing the user when they have been or about to be reached

pkgs.haskellPackages.gogol-consumersurveys

Google Consumer Surveys SDK

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

Package maintainers

@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
@K900 Ilya K. <me@0upti.me>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
@SCOTT-HAMILTON Scott Hamilton <sgn.hamilton@protonmail.com>
@bkchr Bastian Köcher <nixos@kchr.de>
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
@NickCao Nick Cao <nickcao@nichi.co>
@FRidh Frederik Rietdijk <fridh@fridh.nl>
@nyanloutre Paul Trehiou <paul@nyanlout.re>
@mjm Matt Moriarity <matt@mattmoriarity.com>
@offlinehacker Jaka Hudoklin <jaka@x-truder.net>
@SFrijters Stefan Frijters <sfrijters@gmail.com>

Untriaged

Permalink CVE-2020-36993

6.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 3 weeks ago

LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts.

References

ExploitDB-48762 exploit
LimeSurvey Official Website product
LimeSurvey Patch Commit issue-tracking patch
VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting third-party-advisory
LimeSurvey Official Website product
LimeSurvey Patch Commit issue-tracking patch
VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting third-party-advisory
ExploitDB-48762 exploit
ExploitDB-48762 exploit
LimeSurvey Official Website product
LimeSurvey Patch Commit issue-tracking patch
VulnCheck Advisory: LimeSurvey <= 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting third-party-advisory

Affected products

LimeSurvey

=<4.3.10

Matching in nixpkgs

pkgs.limesurvey

Open source survey application

nixos-unstable 6.15.14+250924
- nixpkgs-unstable 6.15.14+250924
- nixos-unstable-small 6.15.14+250924

Package maintainers

@offlinehacker Jaka Hudoklin <jaka@x-truder.net>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.limesurvey

pkgs.python312Packages.survey

pkgs.python313Packages.survey

pkgs.python314Packages.survey

pkgs.haskellPackages.gogol-surveys

pkgs.libsForQt5.kde-inotify-survey

pkgs.kdePackages.kde-inotify-survey

pkgs.plasma5Packages.kde-inotify-survey

pkgs.haskellPackages.gogol-consumersurveys

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.limesurvey

Package maintainers