[14/02/2026 12:30] Vorcaro relatou cobranças por pagamentos a resort de Toffoli, diz jornal - O Globo

[14/02/2026 19:39] Mais de 280 cidades de SC tem alerta de perigo para chuvas intensas e ventos de 100 km/h - NSC Total

[14/02/2026 19:44] Bloco do Amor reúne multidão no Museu Nacional com mensagem política - Correio Braziliense

[14/02/2026 14:06] Após fala de Flávio, Michelle diz que entrega futuro político "a Deus" - CNN Brasil

[14/02/2026 16:51] Uma conversa com o senador que decidiu enfrentar o STF e o Banco Master - Revista Oeste

[14/02/2026 19:53] Homem agride muçulmanas com socos e tira o véu de uma delas em shopping de Foz do Iguaçu - Estadão

[14/02/2026 18:00] Itabirito x Atlético: veja as escalações para o jogo pela última rodada do Mineiro - Rádio Itatiaia

[14/02/2026 14:47] Desfile de Carnaval em homenagem a Lula pode torná-lo inelegível? - BBC

[14/02/2026 08:34] Domingo tem mais de 70 blocos de Carnaval em BH; confira programação - Rádio Itatiaia

[14/02/2026 21:37] Rubio se reúne com Zelensky e fala em fim da guerra "de uma vez por todas" - CNN Brasil

[CVE-2025-11914] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-62642] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.

[CVE-2025-62643] [Modified: 31-10-2025] [Analyzed] [V3.1 S3.4:LOW] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 transmits passwords of user accounts in cleartext e-mail messages.

[CVE-2025-62644] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.

[CVE-2025-62645] [Modified: 04-11-2025] [Analyzed] [V3.1 S9.9:CRITICAL] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

[CVE-2025-62646] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.

[CVE-2025-62647] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.

[CVE-2025-62648] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.

[CVE-2025-62649] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.

[CVE-2025-62650] [Modified: 31-10-2025] [Analyzed] [V3.1 S8.3:HIGH] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.

[CVE-2025-62651] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.

[CVE-2017-20206] [Modified: 23-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20207] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20208] [Modified: 19-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.

[CVE-2025-10006] [Modified: 26-11-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed.

[CVE-2025-11938] [Modified: 27-10-2025] [Analyzed] [V3.1 S5.6:MEDIUM] A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11939] [Modified: 27-10-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11941] [Modified: 12-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11942] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11943] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.