PatchSiren cyber security CVE debrief
CVE-2026-50636 LimeSurvey CVE debrief
CVE-2026-50636 is a HIGH severity vulnerability in LimeSurvey's RemoteControl API. The invite_participants and remind_participants methods are susceptible to SQL injection due to improper handling of user-supplied token-ID arrays. An authenticated attacker with the tokens/update permission can inject malicious SQL, enabling arbitrary data reads and writes across the database, including sensitive information like administrator password hashes and survey responses.
- Vendor
- LimeSurvey
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of LimeSurvey, especially those with the RemoteControl interface enabled, should be aware of this vulnerability. It allows for SQL injection, which can lead to unauthorized data access and modification.
Technical summary
The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. This allows for SQL injection attacks, potentially leading to arbitrary data reads and writes.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates provided by LimeSurvey to fix the SQL injection vulnerability.
- Disable the RemoteControl interface if not in use.
- Restrict access to the tokens/update permission.
- Monitor for suspicious activity on the LimeSurvey installation.
Evidence notes
The CVE-2026-50636 vulnerability was identified in LimeSurvey's RemoteControl API. The vulnerability allows for SQL injection attacks due to improper input validation. The CVSS score is 8.7, indicating a HIGH severity level.
Official resources
CVE-2026-50636 was published on 2026-06-09T18:17:10.620Z and modified on 2026-06-09T19:36:10.547Z.