[09/02/2026 07:00] Caso Bolsonaro abre margem para inelegibilidade de Lula por desfile - oantagonista.com.br

[09/02/2026 19:21] Calor, frente fria, chuva forte e temporais: veja como fica o tempo no Carnaval - MetSul Meteorologia

[09/02/2026 21:11] Lula posa com prefeitos do PL e brinca: Valdemar vai bater neles - CNN Brasil

[09/02/2026 14:40] Jeffrey Epstein financiou modelos brasileiras e avisou dias antes sobre sua prisão; MPF apura citação em Natal - BBC

[09/02/2026 17:12] Justiça determina paralisação de atividades em mina da Vale em Ouro Preto - Estado de Minas

[09/02/2026 19:37] Câmara aprova tramitação em urgência para projeto que quebra patente do Mounjaro - Folha de S.Paulo

[10/02/2026 00:00] Fim da escala 6x1: entenda propostas enviadas à Comissão de Constituição e Justiça da Câmara - O Globo

[09/02/2026 23:00] Governo Lula libera recorde de R$ 1,5 bi em emendas no início do ano - Folha de S.Paulo

[09/02/2026 19:05] Acordo UE-Mercosul é aprovado e segue para votação no Congresso - Portal iG

[10/02/2026 07:33] Trump arruma nova crise com Canadá e agora ameaça impedir inauguração de uma ponte entre os dois países - O Globo

[CVE-2025-37729] [Modified: 11-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

[CVE-2025-39964] [Modified: 03-02-2026] [Analyzed] [V3.1 S3.3:LOW] In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.

[CVE-2025-39965] [Modified: 03-02-2026] [Analyzed] [V3.1 S7.8:HIGH] In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, since they shouldn't be there, and this shows up as a UAF the next time we go through the byspi list.

[CVE-2025-43991] [Modified: 04-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] SupportAssist for Home PCs versions 4.8.2 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain an UNIX Symbolic Link (Symlink) following vulnerability. A low privileged attacker with local access to the system could potentially exploit this vulnerability to delete arbitrary files only in that affected system.

[CVE-2025-11695] [Modified: 04-12-2025] [Analyzed] [V3.1 S8.0:HIGH] When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5

[CVE-2025-62244] [Modified: 15-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92, and 7.3 GA through update 36 allows remote authenticated attackers to view the edit page of a publication via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId parameter.

[CVE-2025-7707] [Modified: 21-10-2025] [Analyzed] [V3.1 S7.8:HIGH] The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

[CVE-2025-62170] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.5:HIGH] rAthena is an open-source cross-platform MMORPG server. A use-after-free vulnerability exists in the RODEX functionality of rAthena's map-server in versions prior to commit af2f3ba. An unauthenticated attacker can exploit this vulnerability via a specific attacking scenario to cause a denial of service by crashing the map-server. This issue has been patched in commit af2f3ba. There are no known workarounds aside from manually applying the patch.

[CVE-2025-62243] [Modified: 15-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated attackers to view publication comments via the _com_liferay_change_tracking_web_portlet_PublicationsPortlet_value parameter. Publications comments in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 does not properly check user permissions, which allows remote authenticated users to edit publication comments via crafted URLs.

[CVE-2025-58084] [Modified: 29-10-2025] [Analyzed] [V3.1 S3.5:LOW] Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL.

[CVE-2025-62241] [Modified: 12-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticated users to from one virtual instance to view the shipment addresses of different virtual instance via the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter.

[CVE-2025-62242] [Modified: 07-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote authenticated users to from one account to view addresses from a different account via the _com_liferay_account_admin_web_internal_portlet_AccountEntriesAdminPortlet_addressId parameter.

[CVE-2025-59836] [Modified: 04-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2.

[CVE-2025-61688] [Modified: 04-12-2025] [Analyzed] [V3.1 S8.6:HIGH] Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API.

[CVE-2025-62174] [Modified: 20-10-2025] [Analyzed] [V3.1 S3.5:LOW] Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.

[CVE-2025-62175] [Modified: 20-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

[CVE-2025-62176] [Modified: 20-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allows OAuth clients without the read scope to subscribe to public channels and receive public timeline events. The impact is limited, as this only affects new public posts published on the public timelines and requires an otherwise valid token, but this may lead to unexpected access to public posts in a limited-federation setting. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist.

[CVE-2025-62246] [Modified: 12-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions.

[CVE-2025-62252] [Modified: 12-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote authenticated users in one virtual instance to assign an organization to a user in a different virtual instance via the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds parameter.

[CVE-2025-11623] [Modified: 15-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database.