CVE-2025-66459

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1	Patch
https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116	Patch
https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442	Patch
https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lookyloo:lookyloo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-02 19:15

Updated : 2025-12-05 14:58

NVD link : CVE-2025-66459

Mitre link : CVE-2025-66459

CVE.ORG link : CVE-2025-66459

JSON object : View

Products Affected

lookyloo

lookyloo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-66459", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-02T19:15:53.007", "references": [{"url": "https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3."}], "lastModified": "2025-12-05T14:58:10.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lookyloo:lookyloo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BB658AA-0447-4162-B66E-55A8B08D290C", "versionEndExcluding": "1.35.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}