[24/04/2026 07:37] Lula dá entrada em hospital para fazer cauterização na cabeça e infiltração por causa de tendinite na mão - O GLOBO

[24/04/2026 09:16] "Brasileiras são programadas para criar confusão", diz enviado de Trump - CNN Brasil

[24/04/2026 09:42] Funcionário dos EUA deixa o Brasil após governo Lula aplicar reciprocidade - Jovem Pan

[24/04/2026 07:27] TSE confirma inelegibilidade de Cláudio Castro, mas aponta que não houve cassação - Diário do Rio

[24/04/2026 07:19] Gilmar pede desculpas após citar homossexualidade em resposta a críticas de Zema - CartaCapital

[24/04/2026 04:30] Alerj quer quadruplicar emendas impositivas para R$ 1,5 bilhão em meio a corte de gastos do governo do Rio - O GLOBO

[24/04/2026 11:00] Disputa por área de tráfico pode ter motivado mortes em bar na Pampulha - Estado de Minas

[24/04/2026 09:07] El Niño mais forte em uma década ameaça colheitas globais - CNN Brasil

[24/04/2026 08:00] Gestão Tarcísio deve livrar delegado Da Cunha de demissão da polícia de SP - Folha de S.Paulo

[24/04/2026 08:21] Homem esfaqueia amante após ela contar sobre caso para a esposa dele - O TEMPO

[CVE-2025-15082] [Modified: 20-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15083] [Modified: 20-01-2026] [Analyzed] [V3.1 S2.0:LOW] A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15084] [Modified: 31-12-2025] [Analyzed] [V3.1 S3.1:LOW] A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15085] [Modified: 31-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-68935] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.4:MEDIUM] ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.

[CVE-2025-68936] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.4:MEDIUM] ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.

[CVE-2025-15086] [Modified: 31-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15089] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-15090] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.

[CVE-2025-15091] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-15092] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2025-68938] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.3:MEDIUM] Gitea before 1.25.2 mishandles authorization for deletion of releases.

[CVE-2025-68939] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.2:HIGH] Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

[CVE-2025-68940] [Modified: 02-01-2026] [Analyzed] [V3.1 S3.1:LOW] In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

[CVE-2025-68941] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.9:MEDIUM] Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

[CVE-2025-68942] [Modified: 02-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

[CVE-2025-15099] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

[CVE-2025-68943] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

[CVE-2025-68944] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.0:MEDIUM] Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

[CVE-2025-68945] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.8:MEDIUM] In Gitea before 1.21.2, an anonymous user can visit a private user's project.