CVE-2025-66459

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66459

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66459.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66459

Aliases

GHSA-hvmh-j2jx-48wg

Published

2025-12-02T18:32:59.256Z

Modified

2025-12-06T07:05:29.090724Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

Details

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66459.json"
}

References

Affected packages

Git / github.com/lookyloo/lookyloo

Affected ranges

Type: GIT
Repo: https://github.com/lookyloo/lookyloo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

841a5b5d263e024be242df3b6e5efca7a08016d7

Affected versions

v0.*

v0.6

v1.*

v1.0

v1.1

v1.10

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.26.1

v1.27.0

v1.28.0

v1.28.1

v1.29.0

v1.3

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.35.1

v1.35.2

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v1.9.1

v1.9.2