CVE-2025-66459 MEDIUM

CVE-2025-66459: Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

Vendor Lookyloo
Product lookyloo
Weakness CWE-79 · XSS
Published December 2, 2025
Last update December 2, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.

Key dates

02Disclosure timeline

December 2, 2025 CVE published
December 2, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-64130 Zenitel TCIV-3+ Cross-site Scripting CVE-2018-0339 CVE-2024-11457 Feedpress Generator – External RSS Frontend Customizer <= 1.2.1 - Reflected Cross-Site Scripting CVE-2024-20512 Cisco Unified Contact Center Management Portal Reflected Cross-Site Scripting Vulnerability CVE-2024-8961 Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting