Please help us help you and fill where relevant:
Your LimeSurvey version: 6.15.2
Own server or LimeSurvey hosting: Own Server
Survey theme/template: Default
Hi everyone,I’ve been running vulnerability scans on LimeSurvey CE using Checkmarx, as part of my company’s requirements. Due to memory limitations, I wasn’t able to scan the entire codebase. Instead, I focused on the main folders such as application, admin, modules, themes and plugins. Would this be considered sufficient for testing, or are there other areas I should definitely include?

The scan reported over 500 high-severity issues, with the majority flagged as XSS injection. Since I’m still quite new to coding and security testing, I’m unsure how to determine whether these are real vulnerabilities or false positives. Could anyone share how you usually verify such findings for LimeSurvey? Any advice, explanations, or recommended approaches would be greatly appreciated. Thank you in advance for your help!