Search
Find a vulnerability
Search criteria
2 vulnerabilities by LookyLoo
GCVE-1-2026-0028
Vulnerability from gna-1 – Published: 2026-04-29 19:28 – Updated: 2026-04-29 19:28
VLAI
Title
LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
Summary
PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.
In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.
The patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and .local domains when only_global_lookup is enabled, while still allowing the originally requested capture URL.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Lookyloo/PlaywrightCapture/com… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LookyLoo | PlaywrightCapture |
Affected:
0 , < 1.39.6
(semver)
|
Credits
Relationships
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PlaywrightCapture",
"vendor": "LookyLoo",
"versions": [
{
"lessThan": "1.39.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Raphael Vinot"
},
{
"lang": "en",
"type": "finder",
"value": "Jeroen Gui"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as \u003ccode\u003ewindow.location.href\u003c/code\u003e, to make the capture process open \u003ccode\u003efile://\u003c/code\u003e URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.\u003c/p\u003e\n\u003cp\u003eIn deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.\u003c/p\u003e\n\u003cp\u003eThe patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and \u003ccode\u003e.local\u003c/code\u003e domains when \u003ccode\u003eonly_global_lookup\u003c/code\u003e is enabled, while still allowing the originally requested capture URL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.\n\n\nIn deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.\n\n\nThe patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and .local domains when only_global_lookup is enabled, while still allowing the originally requested capture URL."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Lookyloo/PlaywrightCapture/commit/49e289eba756e4fbac1322c33cfd111411562405"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0028"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-04-29T19:28:00.000Z",
"dateUpdated": "2026-04-29T19:28:44.316023Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0028",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T19:28:20.659212Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T19:28:44.316023Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0018 (CVE-2025-65095)
Vulnerability from gna-1 – Published: 2025-11-18 15:33 – Updated: 2025-11-18 20:39
VLAI
Title
HTML injection issue was identified in Lookyloo’s web interface helper function
Summary
A HTML injection issue was identified in Lookyloo’s web interface helper function shorten_string (website/web/__init__.py). The function was used to truncate and render user-controlled values inside HTML (for example in a <span title="..."> attribute) without first escaping the string. This allowed crafted input containing HTML to be injected into the rendered page.
On a standard Lookyloo installation, the configured Content Security Policy (CSP) significantly limited the impact and prevented direct script execution in most scenarios, but the underlying HTML injection bug was still present and could become exploitable if CSP was relaxed or modified.
Severity
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Lookyloo/lookyloo/commit/ac2f7… | patch |
| https://github.com/Lookyloo/lookyloo/security/adv… | vendor-advisory |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "lookyloo",
"vendor": "lookyloo",
"versions": [
{
"lessThanOrEqual": "1.35.0",
"status": "affected"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA HTML injection issue was identified in Lookyloo\u2019s web interface helper function \u003ccode\u003eshorten_string\u003c/code\u003e\u0026nbsp;(\u003ccode\u003ewebsite/web/__init__.py\u003c/code\u003e). The function was used to truncate and render user-controlled values inside HTML (for example in a \u003ccode\u003e\u0026lt;span title=\"...\"\u0026gt;\u003c/code\u003e\u0026nbsp;attribute) without first escaping the string. This allowed crafted input containing HTML to be injected into the rendered page.\u003c/p\u003e\u003cp\u003eOn a standard Lookyloo installation, the configured Content Security Policy (CSP) significantly limited the impact and prevented direct script execution in most scenarios, but the underlying HTML injection bug was still present and could become exploitable if CSP was relaxed or modified.\u003c/p\u003e"
}
],
"value": "A HTML injection issue was identified in Lookyloo\u2019s web interface helper function shorten_string\u00a0(website/web/__init__.py). The function was used to truncate and render user-controlled values inside HTML (for example in a \u003cspan title=\"...\"\u003e\u00a0attribute) without first escaping the string. This allowed crafted input containing HTML to be injected into the rendered page.\n\nOn a standard Lookyloo installation, the configured Content Security Policy (CSP) significantly limited the impact and prevented direct script execution in most scenarios, but the underlying HTML injection bug was still present and could become exploitable if CSP was relaxed or modified."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Lookyloo/lookyloo/commit/ac2f73dbfcad88b815b18c42cca77a1c645f1726"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-m9g6-23c8-vrxf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTML injection issue was identified in Lookyloo\u2019s web interface helper function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If you don\u0027t upgrade, a proper CSP policy will avoid this vulnerability."
}
],
"value": "If you don\u0027t upgrade, a proper CSP policy will avoid this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-65095",
"datePublished": "2025-11-18T15:33:00.000Z",
"dateUpdated": "2025-11-18T20:39:45.579295Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2025-0018",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-18T15:33:07.767301Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-18T15:49:02.564916Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-18T20:39:45.579295Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}