CVE-2025-66460 – Lookyloo versions before 1.35.3 contain a cross... (How to Fix)

Q: What is the severity of CVE-2025-66460?

CVE-2025-66460 has a CVSS score of 6.1 (MEDIUM). Lookyloo versions before 1.35.3 contain a cross-site scripting (XSS) vulnerability where improperly escaped values are passed to datatable cells. This allows attackers to execute arbitrary JavaScript in users' browsers when viewing captured website data. Anyone running Lookyloo instances accessible to untrusted users is affected.

📋 TL;DR

Lookyloo versions before 1.35.3 contain a cross-site scripting (XSS) vulnerability where improperly escaped values are passed to datatable cells. This allows attackers to execute arbitrary JavaScript in users' browsers when viewing captured website data. Anyone running Lookyloo instances accessible to untrusted users is affected.

💻 Affected Systems

Products:

Lookyloo

Versions: All versions before 1.35.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web interface's datatable rendering, particularly in popup views but likely other areas too.

📦 What is this software?

Lookyloo by Lookyloo

View all CVEs affecting Lookyloo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Attackers inject malicious JavaScript that steals session tokens or credentials from users viewing Lookyloo data, leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (viewing malicious data in Lookyloo), but no authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.35.3

Vendor Advisory: https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3

Restart Required: Yes

Instructions:

1. Update Lookyloo to version 1.35.3 or later using pip: 'pip install --upgrade lookyloo==1.35.3' 2. Restart the Lookyloo service 3. Verify the update was successful

🔧 Temporary Workarounds

Disable popup views

all

Temporarily disable the vulnerable popup view functionality if it's not essential

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact

🧯 If You Can't Patch

Restrict access to Lookyloo instances to trusted users only
Implement web application firewall rules to block XSS payload patterns

🔍 How to Verify

Check if Vulnerable:

Check Lookyloo version: 'lookyloo --version' or examine package version in Python environment

Check Version:

lookyloo --version

Verify Fix Applied:

Confirm version is 1.35.3 or later and test that datatable cells properly escape HTML content

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in Lookyloo interface logs
Suspicious characters in datatable cell content

Network Indicators:

Malicious script tags in HTTP responses from Lookyloo

SIEM Query:

source="lookyloo" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-66460

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: December 2, 2025

Last Updated: December 5, 2025

🔗 References

https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e Patch
https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66460, you might also want to check these: