[30/04/2026 12:00] Alcolumbre retira do PL da dosimetria trecho que contradiz Lei Antifacção - CNN Brasil

[30/04/2026 08:04] Senado rejeita Jorge Messias no STF: a reação das lideranças evangélicas à votação - BBC

[30/04/2026 11:05] Pesquisa Quaest para o governo do RS mostra Juliana Brizola com 24% e Zucco com 21% - GZH

[30/04/2026 08:03] Genial/Quaest: no CE, Ciro bate Elmano e empata com Camilo no 2º turno - Metrópoles

[30/04/2026 04:13] Alcolumbre negociou com direita reeleição para comando do Senado - Metrópoles

[29/04/2026 09:03] Couto promove mais três mudanças no primeiro escalão, com exonerações na Fazenda, Planejamento e Ambiente - O GLOBO

[30/04/2026 08:54] Menina de 6 anos é estuprada por marido da madrinha dela no Cabana - Estado de Minas

[30/04/2026 09:01] Alerta de chuva volumosa com risco de alagamentos e inundações - MetSul Meteorologia

[30/04/2026 00:01] Empresário condenado por corrupção e envolvido na 'farra dos guardanapos' estava em voo que veio do Caribe com Motta e Ciro Nogueira - G1

[29/04/2026 23:00] Alcolumbre deve enterrar CPI do Master em acordo com oposição por redução de pena de Bolsonaro - Folha de S.Paulo

[CVE-2025-61037] [Modified: 14-01-2026] [Analyzed] [V3.1 S7.0:HIGH] A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments.

[CVE-2025-64699] [Modified: 14-01-2026] [Analyzed] [V3.1 S7.8:HIGH] An incorrect NULL DACL issue exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService process, which runs with SYSTEM privileges, applies a Security Descriptor to a device object with no explicitly configured DACL. This condition could allow an attacker to perform unauthorized raw disk operations, which could lead to system disruption (DoS) and exposure of sensitive data, and may facilitate local privilege escalation.

[CVE-2025-15391] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-15392] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15393] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15394] [Modified: 29-04-2026] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-34467] [Modified: 02-02-2026] [Analyzed] [V3.1 S4.3:MEDIUM] ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

[CVE-2025-34468] [Modified: 14-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap).

[CVE-2015-10145] [Modified: 29-01-2026] [Analyzed] [V3.1 S8.8:HIGH] Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands.

[CVE-2025-15398] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.7:LOW] A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-34469] [Modified: 13-01-2026] [Analyzed] [V3.1 S7.5:HIGH] Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.

[CVE-2025-68700] [Modified: 06-01-2026] [Analyzed] [V3.1 S8.8:HIGH] RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to "automatically convert string results into Python objects," but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue.

[CVE-2025-69286] [Modified: 06-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue.

[CVE-2025-69288] [Modified: 13-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

[CVE-2025-67703] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67704] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67705] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

[CVE-2025-67706] [Modified: 19-02-2026] [Analyzed] [V3.1 S5.6:MEDIUM] ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

[CVE-2025-67707] [Modified: 20-02-2026] [Analyzed] [V3.1 S5.6:MEDIUM] ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

[CVE-2025-67708] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.