CVE-2025-31488 MEDIUM

CVE-2025-31488: Plain Craft Launcher's custom homepage can use Internet Explorer to load web pages with the help of controls such as WebBrowser

Vendor Hex-Dragon
Product PCL2
Weakness CWE-20 · Input validation
Published April 6, 2025
Last update April 7, 2025

CVSS base score

4.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Plain Craft Launcher (PCL) is a launcher for Minecraft. PCL allows users to use homepages provided by third parties. If controls such as WebBrowser are used in the homepage, WPF will use Internet Explorer to load the specified webpage. If the user uses a malicious homepage, the attacker can use IE background to access the specified webpage without knowing it. This vulnerability is fixed in 2.9.3.

Key dates

02Disclosure timeline

April 6, 2025 CVE published
April 7, 2025 Record updated