This vulnerability involves a reflected XSS issue in LimeSurvey before version 6.15.11+250909. The root cause is the lack of proper validation on the 'gid' parameter in the getInstance() function of the QuestionCreate.php model. This flaw allows attackers to inject malicious scripts via crafted URLs, potentially compromising authenticated users who click these links. The CVSS 3.1 vector indicates the attack can be performed remotely without privileges but requires user interaction and results in partial confidentiality and integrity impact without affecting availability. No official fix or vendor advisory is currently available, and exploitation in the wild has not been observed.

Successful exploitation can lead to the compromise of logged-in users through reflected XSS, potentially allowing attackers to execute arbitrary scripts in the context of the victim's browser session. This can result in partial loss of confidentiality and integrity of user data. There is no indication of impact on system availability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with untrusted URLs and consider implementing web application firewall (WAF) rules to detect and block malicious input targeting the 'gid' parameter. Monitor official LimeSurvey communications for updates and patches.