VYPR

Looker

by Looker

CVEs (8)

  • CVE-2025-12414CriNov 20, 2025
    risk 0.60cvss epss 0.00

    An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted…

  • CVE-2025-12741HigNov 24, 2025
    risk 0.50cvss epss 0.00

    A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted…

  • CVE-2025-12740HigNov 24, 2025
    risk 0.50cvss epss 0.00

    A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be…

  • CVE-2025-12742HigNov 25, 2025
    risk 0.49cvss epss 0.00

    A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No…

  • CVE-2025-12739HigNov 24, 2025
    risk 0.47cvss epss 0.00

    An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to…

  • CVE-2025-12472HigNov 19, 2025
    risk 0.46cvss epss 0.00

    An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has…

  • CVE-2025-12155HigNov 10, 2025
    risk 0.46cvss epss 0.01

    A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found…

  • CVE-2025-12743MedNov 19, 2025
    risk 0.39cvss epss 0.00

    The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to…