Security Vulnerabilities - CVEs Published In October 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-10-30
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-10-30
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-10-29
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-10-29
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-10-29
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-10-29
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-10-29
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-10-29
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-10-29
Prior to September 19, 2025, the Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, allowing a remote attacker to obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.
CVSS Score
8.7
EPSS Score
0.002
Published
2025-10-29