Looker - 13 CVEs (Page 1/1)

About “Looker”

A curated feed of “Looker”-related CVEs appears below. We currently track 13 CVEs for this tag (all time). In the last 365 days, 11 were published. Average CVSS is 7.4 (all time; 7.5 over 365d), and 85% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-20 - Improper Input Validation, CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

In our taxonomy this topic maps to a LOW impact class. Analytics and BI systems may expose sensitive datasets. Patch, enforce RBAC and TLS, review sharing policies, and sanitize data exports. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: looker

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL	LTS
26.6	2026-03-25	-	2026-08-31 Soon	LTS
26.4	2026-03-05	-	2026-05-31 Expired
26.2	2026-02-09	-	2026-04-30 Expired
26.0	2026-01-08	-	2026-06-30 Soon	LTS
25.20	2025-11-30	-	2026-03-31 Expired
25.18	2025-10-31	-	2026-02-28 Expired	LTS
25.16	2025-09-30	-	2025-12-31 Expired
25.14	2025-08-31	-	2025-11-30 Expired
25.12	2025-07-31	-	2025-11-30 Expired	LTS
25.10	2025-06-30	-	2025-09-30 Expired
25.8	2025-05-31	-	2025-08-31 Expired
25.6	2025-04-30	-	2025-08-31 Expired	LTS
25.4	2025-03-31	-	2025-06-30 Expired
25.2	2025-02-28	-	2025-05-31 Expired
25.0	2025-01-31	-	2025-05-31 Expired	LTS
24.20	2024-11-30	-	2025-03-31 Expired
24.18	2024-10-31	-	2025-02-28 Expired	LTS
24.16	2024-09-11	-	2024-12-31 Expired
24.14	2024-08-14	-	2024-11-30 Expired
24.12	2024-07-10	-	2024-11-30 Expired	LTS
24.10	2024-06-12	-	2024-09-30 Expired
24.8	2024-05-08	-	2024-08-31 Expired
24.6	2024-04-10	-	2024-08-31 Expired	LTS
24.4	2024-03-13	-	2024-06-30 Expired
24.2	2024-02-14	-	2024-05-31 Expired
24.0	2024-01-10	-	2024-05-31 Expired	LTS
23.20	2023-11-08	-	2024-03-31 Expired
23.18	2023-10-11	-	2024-02-28 Expired	LTS
23.16	2023-09-13	-	2023-12-12 Expired
23.14	2023-08-09	-	2023-11-08 Expired
23.12	2023-07-12	-	2023-11-30 Expired	LTS
23.10	2023-06-14	-	2023-09-13 Expired
23.8	2023-05-10	-	2023-08-09 Expired
23.6	2023-04-14	-	2023-08-31 Expired	LTS
23.4	2023-03-14	-	2023-06-13 Expired
23.2	2023-02-10	-	2023-05-09 Expired
23.0	2023-01-11	-	2023-05-31 Expired	LTS
22.20	2022-11-14	-	2023-03-13 Expired
22.18	2022-10-17	-	2023-02-28 Expired	LTS
22.16	2022-09-19	-	2022-12-18 Expired
22.14	2022-08-15	-	2022-11-14 Expired
22.12	2022-07-18	-	2022-11-30 Expired	LTS
22.10	2022-06-13	-	2022-09-19 Expired
22.8	2022-05-16	-	2022-08-15 Expired
22.6	2022-04-18	-	2022-08-31 Expired	LTS
22.4	2022-03-14	-	2022-06-13 Expired
22.2	2022-02-15	-	2022-05-16 Expired
22.0	2022-01-18	-	2022-05-31 Expired	LTS
21.20	2021-11-16	-	2022-03-15 Expired
21.18	2021-10-19	-	2022-02-28 Expired	LTS
21.16	2021-09-14	-	2021-12-15 Expired
21.14	2021-08-16	-	2021-11-16 Expired
21.12	2021-07-15	-	2021-11-30 Expired	LTS
21.10	2021-06-10	-	2021-09-14 Expired
21.8	2021-05-13	-	2021-10-16 Expired
21.6	2021-04-15	-	2021-08-31 Expired	LTS
21.4	2021-03-11	-	2021-06-10 Expired
21.0	2021-01-20	-	2021-05-31 Expired	LTS
7.20	2020-11-15	-	- Expired
7.18	2020-10-15	-	- Expired
7.16	2020-09-17	-	- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Looker” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2025-11-25

High

CVE-2025-12742

A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulner…

CVSS: 7.5 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD

2025-11-24

High

CVE-2025-12741

A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were…

CVSS: 7.7 CWE: CWE-20 - Improper Input Validation View on NVD

High

CVE-2025-12740

A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of th…

CVSS: 7.7 CWE: CWE-20 - Improper Input Validation View on NVD

High

CVE-2025-12739

An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker ext…

CVSS: 7.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2025-11-20

Critical

CVE-2025-12414

An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnera…

CVSS: 9.2 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD

2025-11-19

Medium

CVE-2025-12743

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database…

CVSS: 6.0 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD

High

CVE-2025-12472

An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance.…

CVSS: 7.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD

2025-11-10

High

CVE-2025-12405

An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and exe…

CVSS: 7.7 CWE: CWE-269 - Improper Privilege Management View on NVD

High

CVE-2025-12409

A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having…

CVSS: 7.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD

High

CVE-2025-12397

A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerab…

CVSS: 7.6 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD

High

CVE-2025-12155

A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when…

CVSS: 7.1 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD

2024-10-11

High

CVE-2024-8912

An HTTP Request Smuggling vulnerability in Looker allowed an unauthorized attacker to capture HTTP responses destined for legitimate users. There are two Looker versions that are hosted by Looker:…

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD

2024-05-22

Medium

CVE-2024-5166

An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD