[31/01/2026 03:30] Tebet aceita se candidatar, e Marina Silva se movimenta por vaga na corrida ao Senado por SP - O Globo

[31/01/2026 10:16] Comandante militar do Irã dá alerta aos EUA: 'Tecnologia nuclear não pode ser eliminada' - UOL Notícias

[31/01/2026 06:27] As previsões sobre inteligência artificial de 70 anos atrás que são realidade hoje - BBC

[31/01/2026 09:25] Cão Orelha: boicote de agências gera cancelamentos em hotéis de SC - Estado de Minas

[31/01/2026 00:01] Risco de derrota do PT no Nordeste preocupa Lula - Diário do Poder - Diário do Poder

[31/01/2026 11:03] O dilema de Flávio Bolsonaro - Revista Oeste

[31/01/2026 07:18] Foi dada a largada: BH promove neste sábado a abertura oficial do carnaval - Estado de Minas

[31/01/2026 11:15] Nova sede da Câmara Municipal de Fortaleza será no antigo Mucuripe Club - Diário do Nordeste

[30/01/2026 18:59] O plantio de maconha para fins medicinais - Folha de S.Paulo

[31/01/2026 05:00] O relato de Tarcísio sobre a situação de Bolsonaro na Papudinha - Metrópoles

[CVE-2025-59489] [Modified: 22-10-2025] [Analyzed] [V3.1 S7.4:HIGH] Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.

[CVE-2025-60445] [Modified: 10-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.

[CVE-2025-60447] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.9:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.

[CVE-2025-60448] [Modified: 08-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed.

[CVE-2025-60449] [Modified: 08-10-2025] [Analyzed] [V3.1 S4.9:MEDIUM] An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory.

[CVE-2025-60450] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

[CVE-2025-60451] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.

[CVE-2025-60452] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

[CVE-2025-60453] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

[CVE-2025-60454] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.

[CVE-2025-55971] [Modified: 15-10-2025] [Analyzed] [V3.1 S4.7:MEDIUM] TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.

[CVE-2025-55972] [Modified: 16-10-2025] [Analyzed] [V3.1 S7.5:HIGH] A TCL Smart TV running a vulnerable UPnP/DLNA MediaRenderer implementation is affected by a remote, unauthenticated Denial of Service (DoS) condition. By sending a flood of malformed or oversized SetAVTransportURI SOAP requests to the UPnP control endpoint, an attacker can cause the device to become unresponsive. This denial persists as long as the attack continues and affects all forms of TV operation. Manual user control and even reboots do not restore functionality unless the flood stops.

[CVE-2025-60787] [Modified: 10-10-2025] [Analyzed] [V3.1 S7.2:HIGH] MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.

[CVE-2021-42193] [Modified: 19-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.

[CVE-2025-56551] [Modified: 15-10-2025] [Analyzed] [V3.1 S8.2:HIGH] An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request.

[CVE-2025-61590] [Modified: 17-10-2025] [Analyzed] [V3.1 S7.5:HIGH] Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings (pretty similar to .vscode/settings.json) for the folders / project. An untitled workspace is automatically created by VS Code (untitled.code-workspace), which contains all the folders and workspace settings from the user's current session, opening up an entire new attack vector if the user has a .code-workspace file in path (either untitled created automatically or a saved one). If an attacker is able to hijack the chat context of the victim (such as via a compromised MCP server), they can use prompt injection to make the Cursor Agent write into this file and modify the workspace. This leads to a bypass of CVE-2025-54130 which can lead to RCE by writing to the settings section. This issue is fixed in version 1.7.

[CVE-2025-61591] [Modified: 17-10-2025] [Analyzed] [V3.1 S8.8:HIGH] Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent. This can then be used to directly compromise the system by executing malicious commands with full user privileges. This issue does not currently have a fixed release version, but there is a patch, 2025.09.17-25b418f.

[CVE-2024-56804] [Modified: 07-10-2025] [Analyzed] [V3.1 S8.8:HIGH] An SQL injection vulnerability has been reported to affect Video Station. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Video Station 5.8.4 and later

[CVE-2025-33034] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

[CVE-2025-33039] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later