[26/01/2026 14:10] Moraes manda a PM detalhar rotina de Bolsonaro na Papudinha - CartaCapital

[26/01/2026 17:16] Fachin cita perseguição a juízes como fator de risco à democracia - Poder360

[26/01/2026 16:18] Piloto de 19 anos é desligado da Fórmula Delta após briga e prisão no DF - UOL

[26/01/2026 17:02] Chuva aumenta sobre SP esta semana - climatempo.com.br

[26/01/2026 16:20] 'Pedido de impeachment de Ibaneis tem caráter político-partidário' - correiobraziliense.com.br

[26/01/2026 19:12] Teerã instala outdoor gigante com porta-aviões bombardeado e manda recado aos EUA: 'Quem semeia vento colhe tempestade' - G1

[26/01/2026 17:27] Europa não consegue se defender sem EUA, diz chefe da Otan: "Pode sonhar" - CNN Brasil

[26/01/2026 13:19] Último corpo de refém do Hamas foi recuperado por Israel - Portal iG

[25/01/2026 17:00] Bessent: EUA não podem permitir que Canadá seja "porta de entrada" da China - CNN Brasil

[26/01/2026 11:16] Técnicos entregam cargos no IBGE após exoneração de pesquisadora responsável pelo PIB - Folha de S.Paulo

[CVE-2025-11123] [Modified: 03-10-2025] [Analyzed] [V3.1 S8.8:HIGH] A flaw has been found in Tenda AC18 15.03.05.19. This impacts an unknown function of the file /goform/saveAutoQos. This manipulation of the argument enable causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.

[CVE-2025-11124] [Modified: 23-10-2025] [Analyzed] [V3.1 S3.5:LOW] A vulnerability has been found in code-projects Project Monitoring System 1.0. Affected is an unknown function of the file /onlineJobSearchEngine/postjob.php. Such manipulation of the argument txtapplyto leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

[CVE-2025-11136] [Modified: 11-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.

[CVE-2025-11138] [Modified: 10-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.

[CVE-2025-11139] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Affected is the function uploadStudioFile of the component com.artery.form.services.FormStudioUpdater. This manipulation of the argument filepath causes path traversal. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11140] [Modified: 03-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-48006] [Modified: 14-10-2025] [Analyzed] [V3.1 S9.1:CRITICAL] Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is installed may be read, or a denial-of-service (DoS) condition may occur.

[CVE-2025-10341] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.

[CVE-2025-10342] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'.

[CVE-2025-10343] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'.

[CVE-2025-10344] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'.

[CVE-2025-10345] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'.

[CVE-2025-10346] [Modified: 02-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.

[CVE-2025-11146] [Modified: 16-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”.

[CVE-2025-11147] [Modified: 16-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”.

[CVE-2025-6724] [Modified: 16-10-2025] [Analyzed] [V3.1 S8.8:HIGH] In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via improperly neutralized inputs used in an SQL command.

[CVE-2025-8868] [Modified: 16-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.

[CVE-2025-36351] [Modified: 03-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] IBM License Metric Tool 9.2.0 through 9.2.40 could allow an authenticated user to bypass access controls in the REST API interface and perform unauthorized actions.

[CVE-2025-36352] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.4:MEDIUM] IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

[CVE-2025-55795] [Modified: 16-10-2025] [Analyzed] [V3.1 S3.5:LOW] The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user ID can update their email address to that of another user with a higher user ID without proper verification. This results in the victim's email being reassigned to the attacker's account, causing the victim to be locked out immediately and unable to log in. The vulnerability leads to denial of service via account lockout but does not grant the attacker direct access to the victim's private data.