← voltar
CVE-2025-66459

Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

CVSS 5.3 MEDIUMEPSS 0.3%CWE-79
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
02 dez 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Produtos afetados
Lookyloo · lookyloo