Cybersecurity Vulnerabilities

Lookyloo Vulnerability: CVE-2025-66460 – Improper Data Escaping Leads to Potential XSS

December 2, 2025 - By 

Overview

CVE-2025-66460 identifies a vulnerability in Lookyloo, a web interface for capturing website pages and analyzing their domain relationships. Versions prior to 1.35.3 are affected by improper data escaping within datatables that use the orthogonal-data feature. This flaw could lead to Cross-Site Scripting (XSS) attacks, allowing malicious actors to inject arbitrary code into the application through manipulated data.

Technical Details

The vulnerability stems from Lookyloo’s failure to properly sanitize user-supplied data before rendering it within datatables. Specifically, the orthogonal-data feature, which allows for different display and sorting data for the same column, is susceptible to this flaw. Unescaped values passed to cells within these datatables can be interpreted as HTML or JavaScript, leading to potential XSS. While the popup view is confirmed to be exploitable, other areas using datatables are also likely affected.

CVSS Analysis

Currently, the CVE record does not provide a CVSS score or severity rating. This may be due to the vulnerability’s complexity in exploitation or the need for specific conditions to be met for successful exploitation. However, the potential for XSS makes this a noteworthy vulnerability to address.

Possible Impact

The primary impact of CVE-2025-66460 is the potential for Cross-Site Scripting (XSS) attacks. A successful XSS attack could allow an attacker to:

  • Steal user cookies and session tokens.
  • Deface the Lookyloo web interface.
  • Redirect users to malicious websites.
  • Execute arbitrary JavaScript code within the user’s browser.

Mitigation or Patch Steps

The vulnerability is resolved in Lookyloo version 1.35.3. To mitigate the risk, users are strongly advised to upgrade to version 1.35.3 or later. The upgrade includes proper data sanitization and escaping to prevent XSS attacks.

  1. Upgrade Lookyloo: The most effective solution is to upgrade to version 1.35.3 or later.
  2. Input Validation: While upgrading is the primary solution, implementing additional input validation on data displayed in datatables can provide an extra layer of defense.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *