On February 12, 2026, I responsibly disclosed an open redirect vulnerability in LimeSurvey, the popular open-source survey platform. The issue was patched and released in version 6.16.11+260303 on March 3, 2026.
In application/controllers/EditorLinkController.php, the url GET parameter was passed directly into a redirect without any validation or sanitization. This meant that any unauthenticated user could craft a link under a legitimate LimeSurvey installation that would silently redirect visitors to an arbitrary external site.
public function run($action)
{
$this->setAuthenticationInitCookie();
$editorUrl = Yii::app()->request->getQuery(
'url',
rtrim(
Yii::app()->request->baseUrl
. static::REACT_APP_BASE_PATH,
'/'
)
);
$editorRoute = Yii::app()->request->getQuery('route');
$url = $editorUrl . '/' . $editorRoute;
$this->redirect($url);
}A simple proof of concept demonstrated the issue on LimeSurvey’s own demo environment:
https://demo.limesurvey.org/index.php?r=editorLink&url=https://melvin.ovh/
Visiting this URL would immediately redirect the user away from LimeSurvey to the attacker-controlled domain.
Open redirects are sometimes dismissed as low-severity, but they can be a powerful tool in an attack chain. By abusing the trust users place in a legitimate domain, an attacker can craft convincing phishing campaigns, harvest credentials through fake login pages, or chain the redirect with other vulnerabilities such as SSRF for greater impact. When systems/users see a familiar domain in the URL, they’re far less likely to question where they end up.
Timeline
| Date | Event |
|---|---|
| 2026-02-12 | Vulnerability reported to LimeSurvey via their bug tracker |
| 2026-02-12 | Developer DenisChenu confirms the issue |
| 2026-02-24 | Internal discussion on the controller’s purpose and ownership |
| 2026-02-25 | Fix committed to the master branch by developer Tim Willig |
| 2026-03-03 | Patch released in version 6.16.11+260303 |
Total time from report to fix: 19 days. Solid turnaround.
Key takeaway
If your application performs redirects based on user input, always validate the target URL against an allowlist of trusted destinations. A simple check can prevent your domain from becoming a launchpad for phishing attacks. And make sure to patch if you’re running LimeSurvey 🙂
A note on credit
When the fix landed, the changelog credited the developer who wrote the patch rather than the person who discovered and reported the vulnerability. This is a minor thing, but worth mentioning: proper attribution matters in the security community. Researchers invest time and effort into finding and responsibly disclosing issues instead of exploiting them. Crediting the reporter alongside the developer is a small gesture that goes a long way in encouraging responsible disclosure.
Below is the reply from the LimeSurvey team when I asked them about this proces. I will be focusing my free security research on other open source projects going forward.
I don’t see how we could have done it differently. Tim fixed the issue and the rest is happening automatically. It is not the credit that is given, than only notation of who fixed the issue for historical purposes.
Thank you once more for reporting this!