QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66458

Published: Dec 2, 2025

Modified: Dec 2, 2025

PUBLISHED

Description

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3.

Vendor	Product	Versions
Lookyloo	lookyloo	affected `< 1.35.3`

Weaknesses (CWE)

References

https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87

x_refsource_CONFIRM

https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.