[30/04/2026 15:38] Com derrubada de veto de Lula ao PL da Dosimetria, saiba o que acontece com Bolsonaro - G1

[30/04/2026 17:10] Lula avalia nomeação de Jorge Messias ao Ministério da Justiça - CNN Brasil

[30/04/2026 11:56] Bolsonaristas fazem acordo após rejeição de Messias e desistem de pressionar Alcolumbre por CPI do Master - O GLOBO

[30/04/2026 14:01] Merz deveria se dedicar a consertar seu país quebrado, diz Trump - Poder360

[30/04/2026 12:55] Seis ônibus são atravessados e usados como barricadas na Zona Norte do Rio - G1

[30/04/2026 04:13] Alcolumbre negociou com direita reeleição para comando do Senado - Metrópoles

[30/04/2026 16:15] TSE decide pela cassação de Silvia Waiãpi, a 'indígena do Bolsonaro' - UOL Notícias

[30/04/2026 08:19] Ciclone e frente fria devem virar o tempo no feriado do Dia do Trabalho - Olhar Digital

[30/04/2026 12:58] Justiça condena Kalil por improbidade administrativa em caso de nepotismo - Estado de Minas

[30/04/2026 14:17] Vereador de cidade mineira morre em acidente de moto - Estado de Minas

[CVE-2025-15393] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15394] [Modified: 29-04-2026] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-34467] [Modified: 02-02-2026] [Analyzed] [V3.1 S4.3:MEDIUM] ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

[CVE-2025-34468] [Modified: 14-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

[CVE-2015-10145] [Modified: 29-01-2026] [Analyzed] [V3.1 S8.8:HIGH] Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.

[CVE-2025-15398] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.7:LOW] A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-34469] [Modified: 13-01-2026] [Analyzed] [V3.1 S7.5:HIGH] Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.

[CVE-2025-68700] [Modified: 06-01-2026] [Analyzed] [V3.1 S8.8:HIGH] RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to "automatically convert string results into Python objects," but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue.

[CVE-2025-69286] [Modified: 06-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue.

[CVE-2025-69288] [Modified: 13-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

[CVE-2025-67703] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67704] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67705] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67706] [Modified: 19-02-2026] [Analyzed] [V3.1 S5.6:MEDIUM] ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

[CVE-2025-67707] [Modified: 20-02-2026] [Analyzed] [V3.1 S5.6:MEDIUM] ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

[CVE-2025-67708] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67709] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67710] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67711] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-69413] [Modified: 06-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.