[19/02/2026 18:25] União de Maricá é campeã da Série Ouro e desfila no Grupo Especial em 2027 - G1

[19/02/2026 11:27] Master: irritações, medos, desconfianças e certezas no STF - Metrópoles

[19/02/2026 14:50] Lula e Macron se reúnem para discutir o combate ao narcotráfico e ao garimpo ilegal - CartaCapital

[19/02/2026 08:24] Frente fria provoca chuva forte e derruba temperaturas em parte do país - Canal Rural

[19/02/2026 12:52] Divulgada pré-seleção para o 1º Fies de 2026 — Ministério da Educação - www.gov.br

[19/02/2026 09:38] PCC tem até ‘código de conduta’ nas redes sociais aos faccionados - Jovem Pan

[19/02/2026 16:25] Simões e Nikolas colocam PT no alvo e trocam afagos durante agenda conjunta em Juiz de Fora - O TEMPO

[19/02/2026 14:51] Bebê encontrada em bueiro já tinha sido abandonada antes, diz tia - Estado de Minas

[19/02/2026 18:32] Lei do ‘Escola Sem Partido’ é inconstitucional, decide STF - O Antagonista

[18/02/2026 18:21] Carlos Bolsonaro publica foto com Caroline de Toni em meio a disputa por vaga no Senado em SC - UOL Notícias

[CVE-2025-62612] [Modified: 29-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1.

[CVE-2025-62617] [Modified: 30-10-2025] [Analyzed] [V3.1 S7.2:HIGH] Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17.

[CVE-2025-62705] [Modified: 27-10-2025] [Analyzed] [V3.1 S4.9:MEDIUM] OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched in OpenBao 2.4.2.

[CVE-2025-62707] [Modified: 27-10-2025] [Analyzed] [V3.1 S7.5:HIGH] pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.

[CVE-2025-62708] [Modified: 27-10-2025] [Analyzed] [V3.1 S7.5:HIGH] pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

[CVE-2025-62710] [Modified: 30-10-2025] [Analyzed] [V3.1 S5.9:MEDIUM] Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

[CVE-2025-12104] [Modified: 07-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

[CVE-2025-54806] [Modified: 12-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary script may be executed on the user's web browser.

[CVE-2025-9980] [Modified: 17-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

[CVE-2025-9981] [Modified: 17-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

[CVE-2025-40643] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.

[CVE-2025-41073] [Modified: 30-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the “direstudio” parameter in “/encuestas/integraweb[_v4]/integra/html/view/comprimir.php”.

[CVE-2025-62393] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

[CVE-2025-62394] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

[CVE-2025-62395] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.

[CVE-2025-62396] [Modified: 14-11-2025] [Analyzed] [V3.1 S5.3:MEDIUM] An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

[CVE-2025-62397] [Modified: 14-11-2025] [Analyzed] [V3.1 S5.3:MEDIUM] The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.

[CVE-2025-62398] [Modified: 14-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

[CVE-2025-62399] [Modified: 14-11-2025] [Analyzed] [V3.1 S7.5:HIGH] Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

[CVE-2025-62400] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.