[16/04/2026 06:49] PF prende ex-presidente do BRB envolvido no caso Master - Folha de S.Paulo

[16/04/2026 06:47] Fim da escala 6x1: veja profissões que podem ficar de fora se proposta for aprovada - Valor Econômico

[16/04/2026 07:31] PF: MC Ryan é líder de organização criminosa que movimentou R$ 260 bilhões - CNN Brasil

[16/04/2026 08:21] Ex-ministra do STJ critica Gilmar por representação contra senador da CPI; ‘Vingança, revanche’ - Estadão

[16/04/2026 04:43] A onda de brasileiros rumo ao Paraguai em busca de 'sonho de direita': 'Somos oprimidos no Brasil' - BBC

[15/04/2026 20:26] Ramagem é liberado de custódia do ICE nos EUA - Estado de Minas

[16/04/2026 05:30] Carlos Madeiro: PB: Sogra é apontada como elo de CV a prefeito afastado 2 dias após eleito - UOL Notícias

[15/04/2026 22:32] Repórter da Band Minas está em coma após acidente na BR-381, afirma tia - Estado de Minas

[16/04/2026 07:00] Paraná Pesquisas: Haddad reduz vantagem de Tarcísio, que lidera em SP - Metrópoles

[15/04/2026 21:13] Fernando Henrique Cardoso é interditado por filhos na Justiça - Gazeta do Povo

[CVE-2025-67895] [Modified: 22-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected.

[CVE-2025-13352] [Modified: 29-12-2025] [Analyzed] [V3.1 S3.0:LOW] Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.

[CVE-2025-62190] [Modified: 29-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link

[CVE-2025-62690] [Modified: 29-12-2025] [Analyzed] [V3.1 S3.1:LOW] Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.

[CVE-2022-23851] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI).

[CVE-2024-29370] [Modified: 05-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

[CVE-2025-14727] [Modified: 08-01-2026] [Analyzed] [V3.1 S8.3:HIGH] A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

[CVE-2025-20393] [Modified: 16-01-2026] [Analyzed] [V3.1 S10.0:CRITICAL] A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with&nbsp;root privileges.

[CVE-2025-53398] [Modified: 02-01-2026] [Analyzed] [V3.1 S7.8:HIGH] The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions,

[CVE-2025-53919] [Modified: 02-01-2026] [Analyzed] [V3.1 S7.8:HIGH] An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during installation and uninstallation. A low-privileged attacker with local access could potentially exploit this, leading to elevation of privileges.

[CVE-2025-65185] [Modified: 05-01-2026] [Analyzed] [V3.1 S2.8:LOW] There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses.

[CVE-2025-65855] [Modified: 06-01-2026] [Analyzed] [V3.1 S6.6:MEDIUM] The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device.

[CVE-2025-66921] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.2:HIGH] A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

[CVE-2025-67164] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.9:CRITICAL] An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.

[CVE-2025-67165] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.

[CVE-2025-67285] [Modified: 02-01-2026] [Analyzed] [V3.1 S7.3:HIGH] A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL queries without the need for appropriate cleaning or validation.

[CVE-2025-65203] [Modified: 05-01-2026] [Analyzed] [V3.1 S7.1:HIGH] KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.

[CVE-2025-66923] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.2:HIGH] A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.

[CVE-2025-66924] [Modified: 18-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.

[CVE-2025-67172] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.2:HIGH] RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.