[20/03/2026 13:13] Vorcaro recebe advogado na PF em meio à expectativa de delação premiada - Correio Braziliense

[20/03/2026 14:30] Plantonista citou risco de morte de Bolsonaro em dia de transferência para hospital - Estado de Minas

[20/03/2026 16:08] Mendonça lidera imagem positiva no STF e Toffoli tem maior rejeição, diz pesquisa - CartaCapital

[20/03/2026 14:57] Vamos comprar refinaria vendida pela Petrobras, diz Lula - Poder360

[20/03/2026 11:40] “O papel de um bom juiz não é ser estrela”, diz Mendonça - O Antagonista

[20/03/2026 16:47] "Cego de ciúmes": PM relatou medo de ser morta por tenente-coronel - CNN Brasil

[20/03/2026 09:55] Lula exonera Haddad e nomeia Dario Durigan novo ministro da Fazenda - R7

[20/03/2026 16:37] Carlos Madeiro: Lira lança pré-candidatura ao Senado e confirma filho em disputa por Câmara - UOL Notícias

[19/03/2026 17:09] Governadores alinham resposta e pregam cautela sobre proposta do governo de zerar ICMS do diesel - Estadão

[20/03/2026 03:30] Cônsul honorária do Brasil no Líbano é investigada por suspeita de manter filipina em condição análoga à escravidão em SP - O Globo

[CVE-2025-36161] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.9:MEDIUM] IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

[CVE-2025-60737] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component

[CVE-2025-60738] [Modified: 15-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters

[CVE-2025-62293] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55.

[CVE-2025-62294] [Modified: 24-11-2025] [Analyzed] [V3.1 S7.5:HIGH] SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55.

[CVE-2025-62295] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55.

[CVE-2025-62296] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55.

[CVE-2025-62297] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55.

[CVE-2025-62729] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55.

[CVE-2025-62730] [Modified: 24-11-2025] [Analyzed] [V3.1 S8.8:HIGH] SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55.

[CVE-2025-62731] [Modified: 24-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55.

[CVE-2025-62875] [Modified: 15-01-2026] [Analyzed] [V3.1 S5.5:MEDIUM] An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.

[CVE-2025-12120] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.3:HIGH] Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

[CVE-2025-12121] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.3:HIGH] Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

[CVE-2025-52410] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries.

[CVE-2025-62709] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.8:MEDIUM] ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker’s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim’s password and take over the account. This issue has been patched in version 5.5.2#162.

[CVE-2025-63848] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.

[CVE-2025-64428] [Modified: 24-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.

[CVE-2025-63888] [Modified: 25-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.

[CVE-2025-63889] [Modified: 25-11-2025] [Analyzed] [V3.1 S7.5:HIGH] The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.