[21/03/2026 08:00] Mendonça dá xeque-mate em Gilmar e protege delação de Vorcaro - Gazeta do Povo

[20/03/2026 19:24] Alexandre de Moraes pede parecer da PGR sobre prisão domiciliar de Bolsonaro - Jovem Pan

[21/03/2026 06:46] EUA e Israel atacam instalação nuclear do Irã, diz agência - CNN Brasil

[20/03/2026 18:31] Tenente-coronel excluía contatos do celular da esposa e borrifava o próprio perfume na farda dela - Extra online

[20/03/2026 22:51] Lula parte para mais uma viagem internacional - Revista Oeste

[20/03/2026 18:56] Trump diz que os EUA estão considerando encerrar as operações militares no Irã - O Globo

[21/03/2026 11:01] Simone Tebet deixa MDB após quase 30 anos e se filia ao PSB para disputar o Senado em SP - G1

[20/03/2026 09:55] Lula exonera Haddad e nomeia Dario Durigan novo ministro da Fazenda - R7

[21/03/2026 06:00] Zema: 'Ser governador de Minas é uma máquina de frustração’ - Estado de Minas

[21/03/2026 06:07] Fim da escala 6 X 1 pode eliminar até 1,1 mi de empregos, diz estudo - Poder360

[CVE-2025-13357] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.4:HIGH] Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

[CVE-2025-13432] [Modified: 10-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.

[CVE-2025-41115] [Modified: 08-01-2026] [Analyzed] [V3.1 S10.0:CRITICAL] SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

[CVE-2025-30201] [Modified: 02-12-2025] [Analyzed] [V3.1 S7.7:HIGH] Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0.

[CVE-2025-48502] [Modified: 26-11-2025] [Analyzed] [V3.1 S5.5:MEDIUM] Improper input validation within AMD uprof can allow a local attacker to overwrite MSR registers, potentially resulting in crash or denial of service.

[CVE-2025-54866] [Modified: 02-12-2025] [Analyzed] [V3.1 S5.5:MEDIUM] Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0.

[CVE-2025-62608] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

[CVE-2025-62609] [Modified: 02-12-2025] [Analyzed] [V3.1 S7.5:HIGH] MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.

[CVE-2025-64169] [Modified: 02-12-2025] [Analyzed] [V3.1 S4.9:MEDIUM] Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 3.7.0 to before 4.12.0, fim_alert() implementation does not check whether oldsum->md5 is NULL or not before dereferencing it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. This issue has been patched in version 4.12.0.

[CVE-2025-36149] [Modified: 02-12-2025] [Analyzed] [V3.1 S6.3:MEDIUM] IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.

[CVE-2025-11935] [Modified: 03-12-2025] [Analyzed] [V3.1 S7.5:HIGH] With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.

[CVE-2025-31216] [Modified: 26-11-2025] [Analyzed] [V3.1 S2.4:LOW] The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles.

[CVE-2025-31248] [Modified: 26-11-2025] [Analyzed] [V3.1 S5.5:MEDIUM] A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.5, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.

[CVE-2025-31266] [Modified: 26-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.

[CVE-2025-43374] [Modified: 26-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, macOS Sequoia 15.5, watchOS 11.5. An attacker in physical proximity may be able to cause an out-of-bounds read in kernel memory.

[CVE-2025-65107] [Modified: 03-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

[CVE-2025-65111] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.

[CVE-2025-11931] [Modified: 04-12-2025] [Analyzed] [V3.1 S8.2:HIGH] Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application.

[CVE-2025-11932] [Modified: 04-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder

[CVE-2025-11933] [Modified: 03-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions.