[17/01/2026 06:00] Juristas: Moraes abrir inquérito por vazamento põe imparcialidade em xeque - CNN Brasil

[16/01/2026 22:17] “Envia-os de volta”, diz perfil oficial dos EUA em português - Poder360

[16/01/2026 21:45] Trump anuncia governo provisório de Gaza com Tony Blair e Marco Rubio - Revista Oeste

[16/01/2026 16:31] Lula crítica fake news e IA depois de segundo vídeo de Nikolas - Estado de Minas

[16/01/2026 15:24] Técnica da PF para acessar celulares desligados preocupa Brasília, diz jornal - Revista Oeste

[17/01/2026 02:00] Pais tropeçam em 'armadilhas' na compra de material escolar - Estado de Minas

[17/01/2026 08:26] MG: guindaste que instalava piscina tomba, atinge casas e deixa feridos - Estado de Minas

[16/01/2026 06:10] CDBs do Master: Investidor pode responsabilizar influencer que defendeu banco? - Valor Investe

[17/01/2026 08:13] Ex-donos de REAG e Master creem em delator: elo de Zettel com irmãos Toffoli assusta - ICL Notícias

[16/01/2026 23:24] Presidente interina da Venezuela demite ministro considerado 'testa de ferro' de Maduro - G1

[CVE-2025-10707] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in JeecgBoot up to 3.8.2. Affected is an unknown function of the file /message/sysMessageTemplate/sendMsg. Executing manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-10708] [Modified: 03-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this vulnerability is an unknown functionality of the file /history/historyDownload.do;usrlogout.do. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-10709] [Modified: 03-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this issue is some unknown functionality of the file /history/historyDownload.do;otheruserLogin.do;getfile. The manipulation of the argument fileName results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-46703] [Modified: 22-09-2025] [Analyzed] [V3.1 S6.4:MEDIUM] Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

[CVE-2025-48007] [Modified: 22-09-2025] [Analyzed] [V3.1 S6.4:MEDIUM] Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

[CVE-2025-57880] [Modified: 22-09-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

[CVE-2025-58114] [Modified: 22-09-2025] [Analyzed] [V3.1 S4.8:MEDIUM] Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1.

[CVE-2025-57528] [Modified: 03-10-2025] [Analyzed] [V3.1 S7.7:HIGH] An issue was discovered in Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01 allowing attackers to cause a denial of service via the funcname, funcpara1, funcpara2 parameters to the formSetCfm function (uri path: SetCfm).

[CVE-2025-55910] [Modified: 25-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] CMSEasy v7.7.8.0 and before is vulnerable to Arbitrary file deletion in database_admin.php.

[CVE-2025-56869] [Modified: 03-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in backend/src/applications/files/services/files-manager.service.ts.

[CVE-2025-57296] [Modified: 25-09-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the sub_ADBC0 helper function concatenates these user-supplied values into nvram set system commands using doSystemCmd, without validating or sanitizing special characters (e.g., ;, ", #). An unauthenticated or authenticated attacker can exploit this by submitting a crafted POST request, leading to arbitrary system command execution on the affected device.

[CVE-2025-57644] [Modified: 17-10-2025] [Analyzed] [V3.1 S9.1:CRITICAL] Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting in remote code execution. In addition, improper input validation allows for arbitrary file write and server-side request forgery (SSRF), enabling interaction with internal or external systems. Successful exploitation can lead to full server compromise, unauthorized access to sensitive data, and further network exploitation.

[CVE-2025-48703] [Modified: 05-11-2025] [Analyzed] [V3.1 S9.0:CRITICAL] CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

[CVE-2025-26514] [Modified: 23-09-2025] [Analyzed] [V3.1 S6.4:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Reflected Cross-Site Scripting vulnerability. Successful exploit could allow an attacker to view or modify configuration settings or add or modify user accounts but requires the attacker to know specific information about the target instance and then trick a privileged user into clicking a specially crafted link.

[CVE-2025-26515] [Modified: 23-09-2025] [Analyzed] [V3.1 S7.5:HIGH] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user.

[CVE-2025-26516] [Modified: 23-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Denial of Service vulnerability. Successful exploit could allow an unauthenticated attacker to cause a Denial of Service on the Admin node.

[CVE-2025-26517] [Modified: 23-09-2025] [Analyzed] [V3.1 S5.4:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a privilege escalation vulnerability. Successful exploit could allow an unauthorized authenticated attacker to discover Grid node names and IP addresses or modify Storage Grades.

[CVE-2025-34200] [Modified: 24-09-2025] [Analyzed] [V3.1 S7.8:HIGH] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using the network account an attacker can change network parameters via the appliance interface, enabling local misconfiguration, network disruption or further escalation depending on deployment.

[CVE-2025-34201] [Modified: 24-09-2025] [Analyzed] [V3.1 S7.8:HIGH] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation between instances. A compromise of any single container allows direct access to internal services (HTTP, Redis, MySQL, etc.) on the overlay network. From a compromised container, an attacker can reach and exploit other services, enabling lateral movement, data theft, and system-wide compromise.

[CVE-2025-34204] [Modified: 24-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP workers, Node.js servers and custom binaries) as the root user. This increases the blast radius of a container compromise and enables lateral movement and host compromise when a container is breached.