Approved changes feed: RSS · Atom
cpe:2.3:a:google_cloud:looker:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Google Cloud (34bf7c79-23c3-583b-8203-6d0252c54ec0) |
|---|---|
| Product | Looker (06ca1cab-adec-52b5-99a3-2fe6ae822832) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-12743 |
vulnerable | 2026-06-03 14:58:44.796978 |
SQL Injection in Looker Project Generation Endpoint Allows Access to Internal MySQL Database
The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.106
* 24.18.198+
* 25.0.75
* 25.6.63+
* 25.8.45+
* 25.10.33+
* 25.12.1+
* 25.14+
Published: 2025-11-19T16:41:30.639Z
Updated: 2025-11-19T18:47:37.355Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12742 |
vulnerable | 2026-06-03 14:58:44.796572 |
Remote Code Execution in Looker via Teradata JDBC Driver
A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.108+
* 24.18.200+
* 25.0.78+
* 25.6.65+
* 25.8.47+
* 25.12.10+
* 25.14+
Published: 2025-11-25T05:38:47.907Z
Updated: 2025-11-25T14:39:05.212Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12741 |
vulnerable | 2026-06-03 14:58:44.796119 |
Arbitrary File Write in Denodo dialect of Looker allows Remote Code Execution
A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.108+
* 24.18.200+
* 25.0.78+
* 25.6.65+
* 25.8.47+
* 25.12.10+
* 25.14+
Published: 2025-11-24T11:35:33.730Z
Updated: 2025-11-24T13:13:17.641Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12740 |
vulnerable | 2026-06-03 14:58:44.795757 |
Remote Command Execution in Looker via IBM DB2 JDBC drive
A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 25.0.93+
* 25.6.84+
* 25.12.42+
* 25.14.50+
* 25.16.44+
Published: 2025-11-24T11:30:31.958Z
Updated: 2025-11-24T13:14:36.770Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12739 |
vulnerable | 2026-06-03 14:58:44.795295 |
Cross-Site Scripting (XSS) in Looker's Extension Loader leading to Admin Account Compromise
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+
* 25.0.79+
* 25.6.66+
* 25.12.7+
* 25.16.0+
* 25.18.0+
* 25.20.0+
Published: 2025-11-24T09:11:38.396Z
Updated: 2025-11-24T13:43:54.837Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12472 |
vulnerable | 2026-06-03 14:58:44.404550 |
Remote Code Execution in Looker due to Improperly Validated Directory Deletion
An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.103+
* 24.18.195+
* 25.0.72+
* 25.6.60+
* 25.8.42+
* 25.10.22+
Published: 2025-11-19T10:27:56.520Z
Updated: 2025-11-19T16:24:04.479Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12414 |
vulnerable | 2026-06-03 14:58:44.330774 |
Looker account compromise via punycode homograph attack
An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.100+
* 24.18.193+
* 25.0.69+
* 25.6.57+
* 25.8.39+
* 25.10.22+
* 25.12.0+
Published: 2025-11-20T10:32:52.463Z
Updated: 2025-11-20T14:36:38.420Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12155 |
vulnerable | 2026-06-03 14:58:43.895293 |
Command Injection in Looker
A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.100+
* 24.18.192+
* 25.0.69+
* 25.6.57+
* 25.8.39+
* 25.10.22+
Published: 2025-11-10T08:49:45.811Z
Updated: 2025-11-10T15:18:43.851Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5166 |
vulnerable | 2026-06-03 14:57:51.928129 |
Insecure Direct Object Reference In Looker
MEDIUM (6.5)
An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.
Published: 2024-05-22T16:11:55.740Z
Updated: 2024-08-01T21:03:10.986Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.