Unrated severityNVD Advisory· Published Dec 2, 2025· Updated Dec 2, 2025

Lookyloo vulnerable to XSS due to unescaped error message passed to innerHTML

CVE-2025-66459

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3.

Affected products

Lookyloo/Lookyloollm-fuzzy
Range: <1.35.3
Lookyloo/lookyloov5
Range: < 1.35.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1mitrex_refsource_MISC
github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116mitrex_refsource_MISC
github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442mitrex_refsource_MISC
github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wgmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000