Current Conditions
São Paulo
céu limpo

19 ℃
91%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 01:00:02
  1. [USD] USD 83,906.46
  1. [BRL] BRL 441,238.92 [USD] USD 83,906.46 [GBP] GBP 61,281.42 [EUR] EUR 70,784.84
    Price index provided by blockchain.info.
  2. Bitcoin Core version 30.2 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-59297] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.8:HIGH] Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

[CVE-2025-59298] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.8:HIGH] Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

[CVE-2025-59299] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.8:HIGH] Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

[CVE-2025-59300] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.8:HIGH] Delta Electronics DIAScreen lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

[CVE-2025-59536] [Modified: 23-10-2025] [Analyzed] [V3.1 S8.8:HIGH] Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

[CVE-2025-61589] [Modified: 20-10-2025] [Analyzed] [V3.1 S5.9:MEDIUM] Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7.

[CVE-2025-61597] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.6:HIGH] Emlog is an open source website building system. In versions 2.5.21 and below, an HTML template injection allows stored cross‑site scripting (XSS) via the mail template settings. Once a malicious payload is saved, any subsequent visit to the settings page in an authenticated admin context will execute attacker‑controlled JavaScript, enabling session/token theft and full admin account takeover. This issue is fixed in version 2.5.22.

[CVE-2025-61599] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Emlog is an open source website building system. A stored Cross-Site Scripting (XSS) vulnerability exists in the "Twitter"feature of EMLOG Pro 2.5.21 and below. An authenticated user with privileges to post a "Twitter" message can inject arbitrary JavaScript code. The malicious script is stored on the server and gets executed in the browser of any user, including administrators, when they click on the malicious post to view it. This issue does not currently have a fix.

[CVE-2025-27231] [Modified: 08-10-2025] [Analyzed] [V3.1 S4.9:MEDIUM] The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.

[CVE-2025-27236] [Modified: 08-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

[CVE-2025-49641] [Modified: 08-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.

[CVE-2025-59489] [Modified: 22-10-2025] [Analyzed] [V3.1 S7.4:HIGH] Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.

[CVE-2025-60445] [Modified: 10-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.

[CVE-2025-60447] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.9:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.

[CVE-2025-60448] [Modified: 08-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed.

[CVE-2025-60449] [Modified: 08-10-2025] [Analyzed] [V3.1 S4.9:MEDIUM] An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory.

[CVE-2025-60450] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

[CVE-2025-60451] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

[CVE-2025-60452] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

[CVE-2025-60453] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.