CVE-2025-67627 identifies a Stored Cross-site Scripting (XSS) vulnerability in the TouchOfTech Draft Notify product, specifically in versions up to and including 1.5. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored and later executed in the context of other users' browsers. This type of XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users who access the compromised content. The CVSS 3.1 base score is 5.4, reflecting a medium severity level. The vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to partial confidentiality and integrity loss (C:L/I:L) without affecting availability (A:N). No known exploits have been reported in the wild, and no patches or mitigations have been linked yet. The vulnerability was reserved and published in December 2025 by Patchstack. Stored XSS vulnerabilities can be leveraged for session hijacking, credential theft, or delivering further malware, especially in environments where users trust the affected application. Draft Notify is a tool likely used for document or draft notifications, which may be integrated into collaborative workflows, increasing the risk of exposure.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user data within the Draft Notify application. Attackers with limited privileges could inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, unauthorized actions, or data leakage. While availability is not impacted, the breach of confidentiality and integrity can undermine trust and compliance with data protection regulations such as GDPR. Organizations relying on Draft Notify for internal or external communications may face reputational damage and legal consequences if sensitive information is exposed. The requirement for user interaction reduces the likelihood of automated widespread exploitation but does not eliminate targeted attacks. The impact is more pronounced in sectors with high regulatory scrutiny and sensitive data handling, such as finance, healthcare, and government institutions within Europe.

European organizations should implement the following specific mitigations: 1) Monitor TouchOfTech communications for official patches and apply updates to Draft Notify promptly once available. 2) Employ strict input validation and sanitization on all user inputs within Draft Notify, using context-aware encoding to prevent script injection. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4) Conduct regular security audits and penetration testing focused on web application vulnerabilities, including stored XSS. 5) Educate users about the risks of interacting with suspicious links or content within Draft Notify to reduce successful exploitation via social engineering. 6) Consider isolating or sandboxing the Draft Notify application environment to limit the scope of any compromise. 7) Implement multi-factor authentication and session management best practices to mitigate session hijacking risks. 8) Review and restrict user privileges to the minimum necessary to reduce the attack surface. These measures go beyond generic advice by focusing on the specific context of Draft Notify and the nature of stored XSS.