Current Conditions
São Paulo
céu limpo

21 ℃
84%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 00:30:01
  1. [USD] USD 70,881.44
  1. [BRL] BRL 361,566.17 [USD] USD 70,881.44 [GBP] GBP 52,916.47 [EUR] EUR 60,770.91
    Price index provided by blockchain.info.
  2. Bitcoin Core version 28.4 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-61808] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed.

[CVE-2025-61809] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged.

[CVE-2025-61810] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.4:HIGH] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed.

[CVE-2025-61812] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.4:HIGH] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction.

[CVE-2025-61813] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.2:HIGH] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed.

[CVE-2025-61821] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.8:MEDIUM] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue does not require user interaction and scope is changed.

[CVE-2025-61822] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.2:MEDIUM] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed.

[CVE-2025-61823] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.2:MEDIUM] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.

[CVE-2025-64897] [Modified: 12-12-2025] [Analyzed] [V3.1 S5.6:MEDIUM] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial of service. Exploitation of this issue requires user interaction.

[CVE-2025-64898] [Modified: 12-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction.

[CVE-2025-67499] [Modified: 17-03-2026] [Analyzed] [V3.1 S6.6:MEDIUM] The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

[CVE-2025-67500] [Modified: 19-12-2025] [Analyzed] [V3.1 S3.7:LOW] Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3.

[CVE-2025-67501] [Modified: 18-12-2025] [Analyzed] [V3.1 S8.8:HIGH] WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain an SQL Injection vulnerability in the /html/matPat/editar_categoria.php endpoint. The application fails to properly validate and sanitize user inputs in the id_categoria parameter, which allows attackers to inject malicious SQL payloads for direct execution. This issue is fixed in version 3.5.5.

[CVE-2025-67502] [Modified: 16-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2.

[CVE-2025-67485] [Modified: 09-03-2026] [Analyzed] [V3.1 S5.3:MEDIUM] mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication.

[CVE-2025-67506] [Modified: 17-03-2026] [Analyzed] [V3.1 S9.8:CRITICAL] PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta.

[CVE-2025-67507] [Modified: 04-03-2026] [Analyzed] [V3.1 S8.1:HIGH] Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

[CVE-2025-9056] [Modified: 02-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation.

[CVE-2025-66675] [Modified: 16-12-2025] [Analyzed] [V3.1 S8.2:HIGH] Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4

[CVE-2025-41730] [Modified: 19-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.