EUVD-2026-35770

The RemoteControl API methods inviteparticipants and remindparticipants pass a caller-supplied token-ID array into TokenDynamic::findUninvited, which concatenates the values directly into a tid IN '...' SQL clause without parameterization or input validation. A remote, authenticated attacker...

CVE-2026-50636

CVE-2026-50636 affects LimeSurvey’s RemoteControl API, specifically the invite_participants and remind_participants methods. The root cause is that caller-supplied token-ID arrays are concatenated directly into a tid IN ('...') clause in TokenDynamic::findUninvited() without parameterization or i...

CVE-2026-50636 LimeSurvey RemoteControl invite_participants/remind_participants SQL Injection

The RemoteControl API methods inviteparticipants and remindparticipants pass a caller-supplied token-ID array into TokenDynamic::findUninvited, which concatenates the values directly into a tid IN '...' SQL clause without parameterization or input validation. A remote, authenticated attacker...

Undesired behavior

Lines of code Vulnerability details You push a parameter into an array of tokens without checking if it's already exists. And if at first it's added with amount 0 it can later on be pushed with a greater amount and be twice in the array. Then in all processing it will consider the first occurrenc...

ERC-721 Enumerable Spec mismatch for index of tokenByIndex() function

Handle 0xRajeev Vulnerability details Impact Index starts at 0 for token array but the implementation here requires index to be greater than 0. This will prevent querying of token at index 0. See reference implementation This will impact compatibility with NFT platforms that expect full conformit...