Lookyloo vulnerable to XSS due to lack of escaping in...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3.

Basic Information

ID CVE-2025-66460

Source GitHub_M

Published Dec 2, 2025 at 18:34

Modified Dec 2, 2025 at 19:14

Affected Product

Vendor Lookyloo

Product lookyloo

Version < 1.35.3

Affected Versions Lookyloo lookyloo < 1.35.3

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3.",
    "published": "2025-12-02T18:34:45.400Z",
    "modified": "2025-12-02T19:14:43.987Z",
    "type": "cve",
    "title": "Lookyloo vulnerable to XSS due to lack of escaping in HTML elements passed to Datatables",
    "source": "GitHub_M",
    "references": "https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3\nhttps://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e",
    "id": "CVE-2025-66460",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Lookyloo lookyloo < 1.35.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lookyloo",
    "version": "< 1.35.3",
    "vendor": "Lookyloo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Lookyloo vulnerable to XSS due to lack of escaping in HTML elements passed to Datatables_CVE-2025-66460