Current Conditions
São Paulo
nublado

23 ℃
62%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 16:00:02
  1. [USD] USD 73,552.60
  1. [BRL] BRL 368,230.08 [USD] USD 73,552.60 [GBP] GBP 54,665.62 [EUR] EUR 62,723.38
    Price index provided by blockchain.info.
  2. Bitcoin Core version 28.4 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-12843] [Modified: 05-01-2026] [Analyzed] [V3.1 S5.5:MEDIUM] Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2.

[CVE-2025-14567] [Modified: 23-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-53960] [Modified: 16-12-2025] [Analyzed] [V3.1 S5.9:MEDIUM] When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

[CVE-2025-65530] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file.

[CVE-2025-65854] [Modified: 19-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover.

[CVE-2025-66430] [Modified: 06-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] Plesk 18.0 has Incorrect Access Control.

[CVE-2025-67341] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.6:MEDIUM] jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.

[CVE-2025-67344] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.6:MEDIUM] jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.

[CVE-2023-29144] [Modified: 19-12-2025] [Analyzed] [V3.1 S3.3:LOW] Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection.

[CVE-2025-64011] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.

[CVE-2025-67342] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.6:MEDIUM] RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability.

[CVE-2025-67818] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.2:HIGH] An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application's privilege scope.

[CVE-2025-67819] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.9:MEDIUM] An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.

[CVE-2025-14570] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

[CVE-2025-14571] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-14174] [Modified: 15-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

[CVE-2025-14372] [Modified: 19-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

[CVE-2025-14373] [Modified: 19-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)

[CVE-2025-14572] [Modified: 12-01-2026] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14578] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.3:HIGH] A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.