EIP-2026-109142
PRE-CVELimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-109142. PoCs published by Matthew Aberegg.
AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in LimeSurvey 4.1.11+200316 via the 'Permission Roles' functionality. The PoC sends a crafted HTTP POST request to inject malicious JavaScript into the 'name' and 'description' fields of a permission role.
Description
LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting
Exploits (1)
exploitdb
WORKING POC
by Matthew Aberegg · textwebappsphp
https://www.exploit-db.com/exploits/48523
This exploit demonstrates a stored XSS vulnerability in LimeSurvey 4.1.11+200316 via the 'Permission Roles' functionality. The PoC sends a crafted HTTP POST request to inject malicious JavaScript into the 'name' and 'description' fields of a permission role.
Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
LimeSurvey 4.1.11+200316
Auth required
Prerequisites:
Access to the LimeSurvey administration panel · Valid session cookies (YII_CSRF_TOKEN and LS-ERXSBPYJOOGIGFYW)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026