CVE Identifier: CVE-2025-67231 Vulnerability Type: Reflected Cross-Site Scripting (XSS) Product Affected: ToDesktop Builder Affected Versions: ToDesktop Builder before 0.33.1 Fixed in Version: 0.33.1 Severity: Medium (CVSS 4.0: 5.9) Attack Vector: Network-based, requires user interaction with a malicious link. Potential Impact: An attacker could craft a malicious custom protocol link that executes arbitrary JavaScript with access to the ToDesktop API, enabling unauthorized actions like opening malicious pages in the user's browser. Technical Details: Applications built with affected versions of ToDesktop Builder were susceptible to reflected XSS attacks via the custom URL protocol handler. User-supplied input in the protocol URL was not properly sanitized before being rendered. CVSS 4.0 Vector: Timeline: - September 25th, 2025 1:42 am - Vulnerability reported by Hunter Wodzenski - September 26th, 2025 11:30 pm - Fixed version of ToDesktop Builder released References: - CVE-2025-67231 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')