CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2025-12742 – Remote Code Execution in Looker via Teradata JDBC Driver
https://notcve.org/view.php?id=CVE-2025-12742
25 Nov 2025 — A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vul... • https://cloud.google.com/support/bulletins#gcp-2025-052 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2025-12741 – Arbitrary File Write in Denodo dialect of Looker allows Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-12741
24 Nov 2025 — A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to pro... • https://cloud.google.com/support/bulletins#gcp-2025-052 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-12740 – Remote Command Execution in Looker via IBM DB2 JDBC drive
https://notcve.org/view.php?id=CVE-2025-12740
24 Nov 2025 — A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of S... • https://cloud.google.com/support/bulletins#gcp-2025-052 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0CVE-2025-12739 – Cross-Site Scripting (XSS) in Looker's Extension Loader leading to Admin Account Compromise
https://notcve.org/view.php?id=CVE-2025-12739
24 Nov 2025 — An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. • https://cloud.google.com/support/bulletins#gcp-2025-068 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 1.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13425 – Denial of Service in OSV-SCALIBR
https://notcve.org/view.php?id=CVE-2025-13425
20 Nov 2025 — A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR. • https://github.com/google/osv-scalibr/commit/e67c4e198ca099cb7c16957a80f6c5331d90a672 • CWE-476: NULL Pointer Dereference •
CVSS: 9.2EPSS: 0%CPEs: 14EXPL: 0CVE-2025-12414 – Looker account compromise via punycode homograph attack
https://notcve.org/view.php?id=CVE-2025-12414
20 Nov 2025 — An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at t... • https://cloud.google.com/support/bulletins#GCP-2025-067 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2025-12743 – SQL Injection in Looker Project Generation Endpoint Allows Access to Internal MySQL Database
https://notcve.org/view.php?id=CVE-2025-12743
19 Nov 2025 — The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-h... • https://cloud.google.com/support/bulletins#gcp-2025-052 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-12472 – Remote Code Execution in Looker due to Improperly Validated Directory Deletion
https://notcve.org/view.php?id=CVE-2025-12472
19 Nov 2025 — An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions ... • https://cloud.google.com/support/bulletins#gcp-2025-052 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48593
https://notcve.org/view.php?id=CVE-2025-48593
18 Nov 2025 — In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. • https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5ed63461b44198c80d5aff7e1af1df812f782abb • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13230
https://notcve.org/view.php?id=CVE-2025-13230
17 Nov 2025 — Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) • https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •