[02/05/2026 17:39] Ivete Sangalo confirma participação em show de Shakira no Rio: 'Vai ser divertido' - UOL

[02/05/2026 14:36] Bombeiros confirmam mais uma morte em São Lourenço da Mata e número de vítimas sobe para seis - Folha PE

[02/05/2026 13:15] O que dizia a proposta do Irã para o fim da guerra rejeitada por Trump - NSC Total

[02/05/2026 13:55] Otan busca entender retirada de 5.000 soldados dos EUA da Alemanha - Poder360

[02/05/2026 11:56] Sobe para 19 o número de municípios gaúchos que tiveram transtornos com os temporais - Correio do Povo

[02/05/2026 12:51] Morre Raimundo Rodrigues Pereira, fundador do jornal Movimento e símbolo do jornalismo de resistência no Brasil - Brasil 247

[02/05/2026 13:09] Governador do PT defende que Lula mantenha indicação de Jorge Messias para vaga no STF - CartaCapital

[02/05/2026 12:27] Jovem mutilada com foice por ex-namorado tem mãos reimplantadas, diz delegado - Diário do Nordeste

[02/05/2026 14:39] ‘Nuvem prateleira’ impressiona turistas em praia do litoral norte de São Paulo; entenda o fenômeno - R7

[02/05/2026 13:04] Judeus solicitam alteração na data das eleições no Brasil devido a motivos religiosos - Diário do Centro do Mundo

[CVE-2026-0569] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

[CVE-2026-21430] [Modified: 16-01-2026] [Analyzed] [V3.1 S9.3:CRITICAL] Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.

[CVE-2026-21431] [Modified: 16-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.

[CVE-2026-21432] [Modified: 16-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.

[CVE-2026-21433] [Modified: 16-01-2026] [Analyzed] [V3.1 S7.7:HIGH] Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.

[CVE-2026-21444] [Modified: 25-02-2026] [Analyzed] [V3.1 S5.5:MEDIUM] libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.

[CVE-2026-0571] [Modified: 29-04-2026] [Analyzed] [V3.1 S4.3:MEDIUM] A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

[CVE-2026-21445] [Modified: 16-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

[CVE-2026-21446] [Modified: 08-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.

[CVE-2026-21447] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.1:HIGH] Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

[CVE-2026-21448] [Modified: 08-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.

[CVE-2026-21449] [Modified: 08-01-2026] [Analyzed] [V3.1 S8.8:HIGH] Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.

[CVE-2026-21450] [Modified: 08-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.

[CVE-2026-21451] [Modified: 08-01-2026] [Analyzed] [V3.1 S8.4:HIGH] Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue.

[CVE-2026-21452] [Modified: 05-02-2026] [Analyzed] [V3.1 S7.5:HIGH] MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.

[CVE-2026-21483] [Modified: 25-02-2026] [Analyzed] [V3.1 S5.4:MEDIUM] listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.

[CVE-2025-64120] [Modified: 26-02-2026] [Analyzed] [V3.1 S8.8:HIGH] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.

[CVE-2025-64121] [Modified: 26-02-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.

[CVE-2025-64122] [Modified: 26-02-2026] [Analyzed] [V3.1 S5.5:MEDIUM] Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1.

[CVE-2025-64123] [Modified: 26-02-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.