{"id":"CVE-2025-70797","details":"Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters.","modified":"2026-07-15T01:49:22.402849002Z","published":"2026-04-09T00:00:00Z","database_specific":{"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/70xxx/CVE-2025-70797.json"},"references":[{"type":"WEB","url":"https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/70xxx/CVE-2025-70797.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-70797"},{"type":"FIX","url":"https://github.com/LimeSurvey/LimeSurvey/pull/4356"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/limesurvey/limesurvey","events":[{"introduced":"6fa44427fec52f95ee7441784b46788471d87594"},{"last_affected":"6fa44427fec52f95ee7441784b46788471d87594"}],"database_specific":{"extracted_events":[{"introduced":"6.15.20-251021"},{"last_affected":"6.15.20-251021"}],"source":"CPE_STRING","cpe":"cpe:2.3:a:limesurvey:limesurvey:6.15.20:251021:*:*:*:*:*:*"}}],"versions":["6.15.20-251021","6.15.20+251021"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}