Current Conditions
São Paulo
céu limpo

15 ℃
78%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 03:30:01
  1. [USD] USD 85,540.36
  1. [BRL] BRL 456,186.75 [USD] USD 85,540.36 [GBP] GBP 65,316.40 [EUR] EUR 74,092.07
    Price index provided by blockchain.info.
  2. Disclosure of the details of a bug on 32-bit systems which may, in a rare edge case, cause the node to crash when receiving a pathological block. This bug would be extremely hard to exploit. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
    This issue is considered Low severity.

    Details

    Before writing a block to disk, Bitcoin Core checks that its size is within a normal range. This check would overflow on 32-bit systems for blocks over 1GB, and make the node crash when writing it to disk. Such a block cannot be sent using the BLOCK message, but could in theory be sent as a compact block if the victim node has a non-default large mempool which already contains 1GB of transactions. This would require the victim to have set their -maxmempool option to a value greater than 3GB, while 32-bit systems may have at most 4GiB of memory.
    This issue was indirectly prevented by capping the maximum value of the -maxmempool setting on 32-bit systems.

    Attribution

    Pieter Wuille discovered this bug and disclosed it responsibly.
    Antoine Poinsot proposed and implemented a covert mitigation.

    Timeline

    • 2025-04-24 - Pieter Wuille reports the issue
    • 2025-05-16 - Antoine Poinsot opens PR #32530 with a covert fix
    • 2025-06-26 - PR #32530 is merged into master
    • 2025-09-04 - Version 29.1 is released with the fix
    • 2025-10-10 - Version 30.0 is released with the fix
    • 2025-10-24 - Public Disclosure

[CVE-2025-0765] [Modified: 08-08-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses.

[CVE-2025-1299] [Modified: 28-07-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.

[CVE-2025-4976] [Modified: 28-07-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.

[CVE-2025-7001] [Modified: 28-07-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable.

[CVE-2025-26397] [Modified: 12-11-2025] [Analyzed] [V3.1 S7.8:HIGH] SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server.

[CVE-2025-5084] [Modified: 11-08-2025] [Analyzed] [V3.1 S6.1:MEDIUM] The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

[CVE-2025-45731] [Modified: 28-07-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A group deletion race condition in 2FAuth v5.5.0 causes data inconsistencies and orphaned accounts when a group is deleted while other operations are pending.

[CVE-2025-4784] [Modified: 28-07-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moderec Tourtella allows SQL Injection.This issue affects Tourtella: before 26.05.2025.

[CVE-2025-33013] [Modified: 22-08-2025] [Analyzed] [V3.1 S6.2:MEDIUM] IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release.

[CVE-2025-33109] [Modified: 11-08-2025] [Analyzed] [V3.1 S7.5:HIGH] IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to a privilege escalation caused by an invalid database authority check. A bad actor could execute a database procedure or function without having all required permissions, in addition to causing denial of service for some database actions.

[CVE-2025-36005] [Modified: 22-08-2025] [Analyzed] [V3.1 S5.9:MEDIUM] IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Internet Pass-Thru could allow a malicious user to obtain sensitive information from another TLS session connection by the proxy to the same hostname and port due to improper certificate validation.

[CVE-2025-51082] [Modified: 28-07-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/fast_setting_wifi_set. The manipulation of the argument `timeZone` leads to stack-based buffer overflow.

[CVE-2025-51085] [Modified: 28-07-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argument `timeZone` and `timeType` leads to stack-based buffer overflow.

[CVE-2025-51087] [Modified: 28-07-2025] [Analyzed] [V3.1 S8.6:HIGH] Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow.

[CVE-2025-51088] [Modified: 28-07-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/WifiGuestSet. The manipulation of the argument `shareSpeed` leads to stack-based buffer overflow.

[CVE-2025-51089] [Modified: 28-07-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Tenda AC8V4 V16.03.34.06` was discovered to contain heap overflow at /goform/GetParentControlInfo.The manipulation of the argument `mac` leads to heap-based buffer overflow.

[CVE-2025-46993] [Modified: 25-07-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

[CVE-2025-46996] [Modified: 25-07-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

[CVE-2025-47061] [Modified: 25-07-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

[CVE-2025-45702] [Modified: 10-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] SoftPerfect Pty Ltd Connection Quality Monitor v1.1 was discovered to store all credentials in plaintext.