[15/02/2026 08:40] Fazenda vê fim da 6×1 maduro no Congresso, mas texto pode afastar governo - Jovem Pan

[15/02/2026 19:23] Josias de Souza: Apoio de Ciro Nogueira a Toffoli cai no ridículo com racha do PP - UOL Notícias

[14/02/2026 08:28] Merz cita ordem mundial ‘sob destruição’ e acena ao Brasil - CartaCapital

[15/02/2026 16:57] Aeroporto de Guarulhos é fechado duas vezes na tarde deste domingo de carnaval devido à presença de drones - AEROIN

[15/02/2026 11:02] Blocos de carnaval tomam as ruas do DF neste domingo (15); veja programação - Correio Braziliense

[15/02/2026 10:30] 'Feminicídio indireto': caso Itumbiara expõe brecha na Lei Maria da Penha - UOL Notícias

[15/02/2026 11:09] Pai, mãe e filho de 2 anos cearenses morrem em acidente na Paraíba - Diário do Nordeste

[15/02/2026 09:52] Morre menina baleada na cabeça em tentativa de assalto em Nova Iguaçu, RJ - g1.globo.com

[15/02/2026 07:14] Anuidade limitada a R$ 500 não se aplica à OAB, decide STF - Revista Oeste

[14/02/2026 15:08] Chanceler de Israel vai participar de 1ª reunião de Conselho da Paz de Trump - UOL Notícias

[CVE-2025-11914] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-62642] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.

[CVE-2025-62643] [Modified: 31-10-2025] [Analyzed] [V3.1 S3.4:LOW] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 transmits passwords of user accounts in cleartext e-mail messages.

[CVE-2025-62644] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.

[CVE-2025-62645] [Modified: 04-11-2025] [Analyzed] [V3.1 S9.9:CRITICAL] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

[CVE-2025-62646] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.

[CVE-2025-62647] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.

[CVE-2025-62648] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.

[CVE-2025-62649] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.

[CVE-2025-62650] [Modified: 31-10-2025] [Analyzed] [V3.1 S8.3:HIGH] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.

[CVE-2025-62651] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.

[CVE-2017-20206] [Modified: 23-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20207] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20208] [Modified: 19-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.

[CVE-2025-10006] [Modified: 26-11-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed.

[CVE-2025-11938] [Modified: 27-10-2025] [Analyzed] [V3.1 S5.6:MEDIUM] A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11939] [Modified: 27-10-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11941] [Modified: 12-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11942] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11943] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.