[01/04/2026 22:18] Ao vivo: Trump faz pronunciamento sobre o Irã - Poder360

[01/04/2026 19:52] Suspeito de acessar dados de mulher de Moraes é filho de ex-prefeito do RJ - CNN Brasil

[01/04/2026 19:39] Artemis II: Nasa lança missão tripulada à Lua; veja - Correio Braziliense

[01/04/2026 18:47] Vorcaro, três parlamentares e dois ex-ministros viajaram juntos em jatinho de Brasília para São Paulo, mostram documentos - O Globo

[01/04/2026 21:05] Pacheco se filia ao PSB e vai buscar partidos para decidir candidatura ao Governo de Minas - Estado de Minas

[01/04/2026 05:08] Irã diz estar pronto para encerrar conflito se cessarem ataques militares - Brasil 247

[01/04/2026 17:21] MEC anuncia aplicativos com livros grátis e cursos de idiomas; conheça - CNN Brasil

[01/04/2026 06:00] ITA Ceará recebe Lula hoje para inauguração do primeiro bloco estudantil; veja imagens - Diário do Nordeste

[01/04/2026 15:48] Alcolumbre pode adiar sabatina de Messias no Senado - Correio Braziliense

[01/04/2026 22:49] Eduardo Bolsonaro diz que denunciará a Trump eventual parcialidade do TSE - Metrópoles

[CVE-2025-13645] [Modified: 15-12-2025] [Analyzed] [V3.1 S7.2:HIGH] The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

[CVE-2025-13646] [Modified: 15-12-2025] [Analyzed] [V3.1 S7.5:HIGH] The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible.

[CVE-2025-13945] [Modified: 05-12-2025] [Analyzed] [V3.1 S5.5:MEDIUM] HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service

[CVE-2025-13946] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.5:MEDIUM] MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service

[CVE-2025-39665] [Modified: 19-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames.

[CVE-2025-13354] [Modified: 05-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.

[CVE-2025-13359] [Modified: 05-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).

[CVE-2025-13390] [Modified: 16-12-2025] [Analyzed] [V3.1 S10.0:CRITICAL] The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

[CVE-2025-57200] [Modified: 05-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

[CVE-2025-65267] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.0:CRITICAL] In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance.

[CVE-2025-55182] [Modified: 10-12-2025] [Analyzed] [V3.1 S10.0:CRITICAL] A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

[CVE-2025-57198] [Modified: 23-12-2025] [Analyzed] [V3.1 S8.8:HIGH] AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

[CVE-2025-57199] [Modified: 23-12-2025] [Analyzed] [V3.1 S8.8:HIGH] AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

[CVE-2025-57202] [Modified: 18-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field.

[CVE-2025-65320] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt.

[CVE-2025-7044] [Modified: 18-12-2025] [Analyzed] [V3.1 S7.7:HIGH] An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment.

[CVE-2024-32641] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

[CVE-2024-32642] [Modified: 05-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

[CVE-2024-32643] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

[CVE-2025-13492] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.0:HIGH] A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages.