[29/04/2026 22:01] Senado rejeita nome ao STF após 132 anos, impõe derrota histórica a Lula e barra indicação de Messias à Corte - O GLOBO

[29/04/2026 15:00] Livro registra liberação de malas sem raio X em voo com Motta e Ciro Nogueira - Metrópoles

[29/04/2026 14:40] Novas imagens mostram atirador armado fazendo selfies antes dos disparos em jantar com Trump - O GLOBO

[29/04/2026 10:30] A variação na popularidade de Tarcísio, a 5 meses da eleição em São Paulo - CartaCapital

[29/04/2026 12:40] Em qual canal vai passar o jogo Estudiantes x Flamengo hoje (29/4)? - No Ataque

[29/04/2026 18:50] PC prende quadrilha que faturou R$ 10 milhões em golpe do IPVA em Minas - Estado de Minas

[29/04/2026 18:30] Guerras no Irã e Ucrânia podem terminar em cronograma semelhante, diz Trump - CNN Brasil

[29/04/2026 08:13] Trump publica foto segurando fuzil e diz que Irã precisa ‘ficar esperto logo’ - R7

[29/04/2026 17:04] Melania evita mão de Trump durante foto com rei Charles - Poder360

[28/04/2026 16:06] Trump rebate chanceler alemão sobre Irã: "Ele não sabe o que fala" - CNN Brasil

[CVE-2025-15264] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-66824] [Modified: 07-01-2026] [Analyzed] [V3.1 S8.7:HIGH] A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field.

[CVE-2025-66834] [Modified: 07-01-2026] [Analyzed] [V3.1 S7.3:HIGH] A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.

[CVE-2025-66835] [Modified: 09-01-2026] [Analyzed] [V3.1 S7.1:HIGH] TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context.

[CVE-2025-69256] [Modified: 23-03-2026] [Analyzed] [V3.1 S7.5:HIGH] The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue.

[CVE-2025-15353] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is the function edit_admin_query of the file /admin/edit_admin_query.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

[CVE-2025-15354] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

[CVE-2025-50343] [Modified: 09-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number of strings in the fields array. This leads to out-of-bounds reads and invalid memory frees during cleanup, potentially causing a segmentation fault or heap corruption.

[CVE-2025-66823] [Modified: 07-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info).

[CVE-2025-69210] [Modified: 23-02-2026] [Analyzed] [V3.1 S5.4:MEDIUM] FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.

[CVE-2025-69261] [Modified: 09-03-2026] [Analyzed] [V3.1 S7.5:HIGH] WasmEdge is a WebAssembly runtime. Prior to version 0.16.0-alpha.3, a multiplication in `WasmEdge/include/runtime/instance/memory.h` can wrap, causing `checkAccessBound()` to incorrectly allow the access. This leads to a segmentation fault. Version 0.16.0-alpha.3 contains a patch for the issue.

[CVE-2025-15356] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-15357] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used.

[CVE-2025-66723] [Modified: 05-01-2026] [Analyzed] [V3.1 S7.5:HIGH] inMusic Brands Engine DJ before 4.3.4 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths.

[CVE-2025-15360] [Modified: 29-04-2026] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2022-50692] [Modified: 20-01-2026] [Analyzed] [V3.1 S7.5:HIGH] SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application.

[CVE-2022-50787] [Modified: 13-01-2026] [Analyzed] [V3.1 S7.2:HIGH] SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication.

[CVE-2022-50788] [Modified: 13-01-2026] [Analyzed] [V3.1 S7.5:HIGH] SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication.

[CVE-2022-50793] [Modified: 13-01-2026] [Analyzed] [V3.1 S8.8:HIGH] SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system commands with www-data user privileges.

[CVE-2022-50794] [Modified: 13-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to execute system commands.