ByteOS Network

NGSurvey

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2025-15479

Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795

View Details

Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795

CVSS Score-5.1||MEDIUM

EPSS-0.04% / 13.30%

7 Day CHG+0.01%

Published-07 Jan, 2026 | 13:23

Updated-29 Jan, 2026 | 01:17

NGSurvey Enterprise 3.6.4 incorrect authorization exposes other users’ API keys and personal data

Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users’ browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding.

Vendor-ngsurvey Data Illusion Zumbrunn

Product-ngsurvey NGSurvey

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2025-13829

Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795

View Details

Assigner-64c5ae8f-7972-4697-86a0-7ada793ac795

CVSS Score-8.6||HIGH

EPSS-0.06% / 17.85%

7 Day CHG~0.00%

Published-01 Dec, 2025 | 15:47

Updated-02 Dec, 2025 | 17:16

Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * Password hashed with bcrypt * User IP * Email * Full Name

Vendor-Data Illusion Zumbrunn

Product-NGSurvey

CWE ID-CWE-863

Incorrect Authorization