CVE-2025-66459
MEDIUMlookyloo < 1.35.3 - Stored Cross-Site Scripting via URL Error Message
Title source: llmDescription
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg
Patch x_refsource_misc
https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1
Patch x_refsource_misc
https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116
Scores
CVSS v3
6.1
EPSS
0.0025
EPSS Percentile
16.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
lookyloo/lookyloo
< 1.35.3
Published
Dec 02, 2025
Tracked Since
Feb 18, 2026