VYPR

Looker

by Google

CVEs (7)

  • CVE-2025-12414CriNov 20, 2025
    risk 0.60cvss epss 0.00

    An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted…

  • CVE-2025-12742HigNov 25, 2025
    risk 0.49cvss epss 0.00

    A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No…

  • CVE-2024-8912HigOct 11, 2024
    risk 0.49cvss 7.5epss 0.00

    An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. There are two Looker versions that are hosted by Looker: * Looker (Google Cloud core) was found to be vulnerable. This issue has…

  • CVE-2025-12739HigNov 24, 2025
    risk 0.47cvss epss 0.00

    An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to…

  • CVE-2025-12472HigNov 19, 2025
    risk 0.46cvss epss 0.00

    An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has…

  • CVE-2024-5166MedMay 22, 2024
    risk 0.42cvss 6.5epss 0.00

    An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.

  • CVE-2025-12743MedNov 19, 2025
    risk 0.39cvss epss 0.00

    The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to…