CVE-2025-66458 | THREATINT

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3.

PUBLISHED Reserved 2025-12-01 | Published 2025-12-02 | Updated 2025-12-02 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.35.3

affected

References

github.com/...okyloo/security/advisories/GHSA-58h2-652v-gq87

github.com/...ommit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290

cve.org (CVE-2025-66458)

nvd.nist.gov (CVE-2025-66458)

Download JSON