VYPR

Looker

by Looker Open Source

CVEs (10)

  • CVE-2025-12414CriNov 20, 2025
    risk 0.60cvss epss 0.00

    An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted…

  • CVE-2025-12741HigNov 24, 2025
    risk 0.50cvss epss 0.00

    A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted…

  • CVE-2025-12740HigNov 24, 2025
    risk 0.50cvss epss 0.00

    A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be…

  • CVE-2025-12742HigNov 25, 2025
    risk 0.49cvss epss 0.00

    A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No…

  • CVE-2025-12739HigNov 24, 2025
    risk 0.47cvss epss 0.00

    An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to…

  • CVE-2025-12472HigNov 19, 2025
    risk 0.46cvss epss 0.00

    An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has…

  • CVE-2025-12155HigNov 10, 2025
    risk 0.46cvss epss 0.01

    A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. Looker-hosted and Self-hosted were found…

  • CVE-2025-12743MedNov 19, 2025
    risk 0.39cvss epss 0.00

    The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to…

  • CVE-2024-8912Oct 11, 2024
    risk 0.00cvss epss 0.00

    An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. There are two Looker versions that are hosted by Looker: * Looker (Google Cloud core) was found to be vulnerable. This issue has…

  • CVE-2024-5166May 22, 2024
    risk 0.00cvss epss 0.00

    An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.