CVE-2025-66460 | THREATINT

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3.

PUBLISHED Reserved 2025-12-01 | Published 2025-12-02 | Updated 2025-12-02 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.35.3

affected

References

github.com/...okyloo/security/advisories/GHSA-r93r-7jfr-99c3

github.com/...ommit/63b39311f6b251a671895d97174345faf1b18e6e

cve.org (CVE-2025-66460)

nvd.nist.gov (CVE-2025-66460)

Download JSON