LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.Referenceshttps://github.com/LimeSurvey/LimeSurvey/blob/master/docs/release_notes.txthttps://community.limesurvey.org/release/191008/
