[16/04/2026 16:47] PF aponta R$ 146,5 milhões em propinas para ex-presidente do BRB - Poder360

[16/04/2026 15:58] Nova administração do estado: primeira lista, com 157 exonerações de cargos em comissão da Secretaria de Governo, é publicada nesta quinta-feira em DO - O GLOBO

[15/04/2026 21:06] Ramagem é solto nos EUA e espera resposta a pedido de asilo - BBC

[16/04/2026 10:56] Além de MC Poze e dono da Choquei, quem é o empresário preso em megaoperação da PF em SC - ND Mais

[16/04/2026 19:52] Entenda os sintomas do Alzheimer em estágio avançado, como o do ex-presidente FHC - Folha de S.Paulo

[16/04/2026 14:48] Emenda de Nikolas prevê que o governo arque com custos do fim da 6x1 - Metrópoles

[16/04/2026 15:48] Colegas da TV homenageiam cinegrafista morto em acidente - Estado de Minas

[16/04/2026 08:15] Senado aprova novo percentual de cacau no chocolate e determina fim do 'amargo' e 'meio amargo' - Jornal Correio

[16/04/2026 14:55] 7 a 0: Maioria do STF vota por derrubar lei de Santa Catarina que proibiu cotas raciais - CartaCapital

[16/04/2026 15:46] Entenda nova decisão da Justiça italiana contra Zambelli - CNN Brasil

[CVE-2025-14832] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2025-67873] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.8:MEDIUM] Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue.

[CVE-2025-67875] [Modified: 18-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator's session, perform administrative actions, and achieve a full account takeover. This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user's profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user's record properties. Version 6.5.3 fixes the issue.

[CVE-2025-67876] [Modified: 18-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available.

[CVE-2025-67877] [Modified: 18-12-2025] [Analyzed] [V3.1 S8.8:HIGH] ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.

[CVE-2025-68109] [Modified: 18-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

[CVE-2025-68110] [Modified: 18-12-2025] [Analyzed] [V3.1 S9.9:CRITICAL] ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

[CVE-2025-68111] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.2:HIGH] ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamID_...` POST parameter. This can lead to unauthorized data access, modification, or deletion within the database. Version 6.5.3 has a patch for the issue.

[CVE-2025-68112] [Modified: 18-12-2025] [Analyzed] [V3.1 S9.6:CRITICAL] ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.

[CVE-2025-68114] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.8:MEDIUM] Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream’s index negative or past the end, leading to a stack buffer underflow/overflow when the next write occurs. Commit 2c7797182a1618be12017d7d41e0b6581d5d529e fixes the issue.

[CVE-2025-68118] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue.

[CVE-2025-68129] [Modified: 05-03-2026] [Analyzed] [V3.1 S6.8:MEDIUM] Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.

[CVE-2025-68275] [Modified: 18-12-2025] [Analyzed] [V3.1 S4.8:MEDIUM] ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

[CVE-2025-68399] [Modified: 18-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue.

[CVE-2025-68400] [Modified: 18-12-2025] [Analyzed] [V3.1 S8.8:HIGH] ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the `familyId` parameter. Version 6.5.3 fixes the issue.

[CVE-2025-68401] [Modified: 18-12-2025] [Analyzed] [V3.1 S4.8:MEDIUM] ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.

[CVE-2023-53907] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system files through directory traversal.

[CVE-2023-53913] [Modified: 24-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

[CVE-2023-53914] [Modified: 24-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access.

[CVE-2023-53917] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes.