XSS Vulnerability in Lookyloo Web Interface
CVE-2025-66459

5.3MEDIUM

Key Information:

Vendor

Lookyloo

Status
Lookyloo
Vendor
CVE Published:
2 December 2025

What is CVE-2025-66459?

A cross-site scripting (XSS) vulnerability exists within the Lookyloo web interface that allows an attacker to inject malicious scripts via user-submitted URLs. When a user attempts to capture a list of URLs containing HTML elements, and the capture process fails, the interface displays an error message reflecting the bad URL. This error message can inadvertently expose the application to XSS attacks, enabling attackers to execute scripts in the user’s context. This security flaw has been rectified in version 1.35.3.

Affected Version(s)

lookyloo < 1.35.3

References

https://github.com/Lookyloo/lookyloo/security/advisories/...
x_refsource_CONFIRM
https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec5...
x_refsource_MISC
https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.