XSS Vulnerability in Lookyloo Web Interface by Lookyloo
CVE-2025-66458

5.3MEDIUM

Key Information:

Vendor: Lookyloo
Status: Lookyloo
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-66458?

Lookyloo's web interface has a vulnerability that allows for multiple instances of cross-site scripting (XSS) due to improper use of f-strings in its markup. An attacker can exploit this vulnerability by tricking a user into visiting a page that executes JavaScript from a compromised third-party server. The malicious server must respond with a JSON document containing the harmful script, thereby compromising user sessions and data. This issue has been resolved in version 1.35.3.

Affected Version(s)

lookyloo < 1.35.3

References

https://github.com/Lookyloo/lookyloo/security/advisories/...

x_refsource_CONFIRM

https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Dec 1, 2025

CVE-2025-66458 Data

JSON