[29/01/2026 13:01] SP entra em alerta para tempestades e risco de alagamentos nesta quinta-feira - Jovem Pan

[29/01/2026 13:29] Governo de Minas confirma rompimento em mina da Vale - em.com.br

[29/01/2026 12:36] Ciclone e baixa secundária trarão chuva intensa e temporais em nove estados - metsul.com

[29/01/2026 19:01] Carregador pega fogo a bordo e voo da Latam tem de pousar em Ribeirão Preto - CNN Brasil

[29/01/2026 10:57] Lula ignorou o chanceler do Panamá? - O Antagonista

[29/01/2026 09:54] Lula escolhe Miriam Belchior para substituir Rui Costa na Casa Civil - Brasil 247

[29/01/2026 20:09] Lula realiza exames e passará por cirurgia na sexta-feira; saiba o motivo - nsctotal.com.br

[29/01/2026 13:45] Trump diz que vai reabrir espaço aéreo da Venezuela: 'os americanos poderão visitar muito em breve' - G1

[29/01/2026 06:02] Impasse sobre ICE pode causar novo shutdown no Trump 2 - Poder360

[28/01/2026 07:32] Lula confirma viagem aos EUA para conversar ‘olhando no olho’ de Trump - ndmais.com.br

[CVE-2025-58777] [Modified: 07-10-2025] [Analyzed] [V3.1 S7.8:HIGH] VT Studio versions 8.53 and prior contain an access of uninitialized pointer vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

[CVE-2025-61691] [Modified: 07-10-2025] [Analyzed] [V3.1 S7.8:HIGH] VT STUDIO versions 8.53 and prior contain an out-of-bounds read vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

[CVE-2025-61692] [Modified: 07-10-2025] [Analyzed] [V3.1 S7.8:HIGH] VT STUDIO versions 8.53 and prior contain a use after free vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.

[CVE-2025-40646] [Modified: 03-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.

[CVE-2025-54286] [Modified: 22-10-2025] [Analyzed] [V3.1 S8.8:HIGH] Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

[CVE-2025-54287] [Modified: 22-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.

[CVE-2025-54288] [Modified: 24-10-2025] [Analyzed] [V3.1 S6.8:MEDIUM] Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.

[CVE-2025-54289] [Modified: 24-10-2025] [Analyzed] [V3.1 S8.1:HIGH] Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

[CVE-2025-54290] [Modified: 24-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

[CVE-2025-54291] [Modified: 24-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

[CVE-2025-54292] [Modified: 10-12-2025] [Analyzed] [V3.1 S4.6:MEDIUM] Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

[CVE-2025-40989] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_message/add/xxx", affecting to "message" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.

[CVE-2025-40990] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_bug/create/xxx", affecting to "title" and "description" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.

[CVE-2025-40991] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_file/upload/xxxx", affecting to "description" parameter via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.

[CVE-2025-54293] [Modified: 10-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.

[CVE-2025-11239] [Modified: 08-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present).

[CVE-2025-11240] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.2:HIGH] An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0.

[CVE-2025-22862] [Modified: 15-10-2025] [Analyzed] [V3.1 S6.7:MEDIUM] An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS 7.4.0 through 7.4.7, 7.2.0 through 7.2.11, 7.0.6 and above; and FortiProxy 7.6.0 through 7.6.2, 7.4.0 through 7.4.8, 7.2 all versions, 7.0.5 and above may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the Automation Stitch component.

[CVE-2025-56380] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Frappe Framework v15.72.4 was discovered to contain a SQL injection vulnerability via the fieldname parameter in the frappe.client.get_value API endpoint and a crafted script to the fieldname parameter

[CVE-2025-56381] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] ERPNEXT v15.67.0 was discovered to contain multiple SQL injection vulnerabilities in the /api/method/frappe.desk.reportview.get endpoint via the order_by and group_by parameters.