[10/04/2026 13:49] Trump ameaça novos ataques ao Irã caso negociações fracassem - CartaCapital

[10/04/2026 13:29] Irã condiciona negociações a cessar-fogo no Líbano e desbloqueio de ativos - CartaCapital

[10/04/2026 22:01] A arriscada volta da Artemis 2: como astronautas pilotaram 'bola de fogo' de volta à Terra, passo a passo - BBC

[10/04/2026 23:37] SP: PM envolvida em morte de mulher é estagiária e atua nas ruas há 3 meses - UOL Notícias

[10/04/2026 20:12] Fachin diz que Corte chancelou Ricardo Couto no governo do RJ - Poder360

[10/04/2026 21:45] Após pane, Latam cancela 84 voos e afeta 10 mil passageiros em SP - CNN Brasil

[10/04/2026 19:11] Novo vídeo mostra advogada mordida por tubarão em Fernando de Noronha - CNN Brasil

[10/04/2026 19:56] Lula alerta Trump a não ameaçar Brasil: ‘não sabe o que é um pernambucano’ - Correio Braziliense

[10/04/2026 15:40] Broche dava acesso a mulheres em jantar de R$ 2,7 milhões de Vorcaro Vídeo - Metrópoles

[10/04/2026 17:11] Assalto a banco em Guidoval foi ação de grupo local e amador, diz PM - Estado de Minas

[CVE-2024-58287] [Modified: 20-01-2026] [Analyzed] [V3.1 S8.8:HIGH] reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration.

[CVE-2024-58289] [Modified: 12-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.

[CVE-2024-58294] [Modified: 15-12-2025] [Analyzed] [V3.1 S8.8:HIGH] FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access.

[CVE-2024-58297] [Modified: 20-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page.

[CVE-2024-58307] [Modified: 22-12-2025] [Analyzed] [V3.1 S8.8:HIGH] CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.

[CVE-2024-58308] [Modified: 31-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.

[CVE-2024-58309] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.

[CVE-2024-58312] [Modified: 30-12-2025] [Analyzed] [V3.1 S7.5:HIGH] xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.

[CVE-2024-58313] [Modified: 30-12-2025] [Analyzed] [V3.1 S7.2:HIGH] xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.

[CVE-2025-13668] [Modified: 12-01-2026] [Analyzed] [V3.1 S6.7:MEDIUM] A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege.

[CVE-2025-34504] [Modified: 15-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication.

[CVE-2025-34506] [Modified: 15-12-2025] [Analyzed] [V3.1 S8.8:HIGH] WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.

[CVE-2025-64721] [Modified: 22-12-2025] [Analyzed] [V3.1 S10.0:CRITICAL] Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7.

[CVE-2025-66419] [Modified: 15-12-2025] [Analyzed] [V3.1 S8.8:HIGH] MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0.

[CVE-2025-66446] [Modified: 15-12-2025] [Analyzed] [V3.1 S8.8:HIGH] MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow attackers to overwrite the built-in dynamic linker and other critical files, potentially resulting in privilege escalation. This issue is fixed in version 2.4.0.

[CVE-2025-66450] [Modified: 15-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1.

[CVE-2025-66451] [Modified: 15-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1.

[CVE-2025-66452] [Modified: 15-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn't strictly enforced. This issue does not have a fix at the time of publication.

[CVE-2025-13052] [Modified: 28-01-2026] [Analyzed] [V3.1 S5.9:MEDIUM] When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42.

[CVE-2025-13053] [Modified: 28-01-2026] [Analyzed] [V3.1 S3.7:LOW] When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.