[04/04/2026 08:42] EUA sofrem golpe inédito em 20 anos com derrubada de aviões no Irã - Folha PE

[04/04/2026 10:07] Imprensa argentina trata caso de Agostina Páez como 'escândalo sem fim' após pai reproduzir gestos racistas - O Globo

[03/04/2026 19:38] Estreito de Ormuz enfrenta colapso e tráfego cai de 130 navios por dia para 221 em um mês - brasil247.com

[04/04/2026 06:30] Governo sofre debandada em ministérios - revistaoeste.com

[03/04/2026 10:40] Crusoé: O maior do Congresso - O Antagonista

[03/04/2026 12:41] Eleições: ultradireita depende da guerra e democracia, da paz. Por Kakay - Diário do Centro do Mundo

[04/04/2026 10:48] Casal morto em acidente fazia voo de teste para comprar avião que caiu no RS - NSC Total

[04/04/2026 10:32] Batida frontal entre carro e caminhão deixa motorista morto no Sul de Minas - Estado de Minas

[03/04/2026 16:52] Desafios da autocorreção - Folha de S.Paulo

[04/04/2026 07:56] Nunes Marques viajou com esposa em voo pago por advogada do Master - O Antagonista

[CVE-2025-6966] [Modified: 07-01-2026] [Analyzed] [V3.1 S5.5:MEDIUM] NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

[CVE-2025-14085] [Modified: 10-12-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14086] [Modified: 10-12-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-58098] [Modified: 08-12-2025] [Analyzed] [V3.1 S8.3:HIGH] Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

[CVE-2025-64057] [Modified: 09-01-2026] [Analyzed] [V3.1 S8.3:HIGH] Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts.

[CVE-2025-14090] [Modified: 10-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A security flaw has been discovered in AMTT Hotel Broadband Operation System 1.0. This affects an unknown part of the file /manager/card/cardmake_down.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14092] [Modified: 10-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-64052] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.1:MEDIUM] An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands.

[CVE-2025-64053] [Modified: 09-01-2026] [Analyzed] [V3.1 S7.5:HIGH] A Buffer overflow vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

[CVE-2025-64054] [Modified: 09-01-2026] [Analyzed] [V3.1 S9.6:CRITICAL] A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint.

[CVE-2025-64056] [Modified: 09-01-2026] [Analyzed] [V3.1 S4.3:MEDIUM] File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem.

[CVE-2025-65730] [Modified: 11-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication.

[CVE-2025-65897] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.8:HIGH] zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.

[CVE-2025-66418] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.5:HIGH] urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

[CVE-2025-14093] [Modified: 11-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14094] [Modified: 11-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-65036] [Modified: 20-02-2026] [Analyzed] [V3.1 S8.3:HIGH] XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1.

[CVE-2025-65878] [Modified: 12-12-2025] [Analyzed] [V3.1 S7.5:HIGH] The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server's file system. This could lead to the leakage of sensitive system information.

[CVE-2025-65879] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.1:HIGH] Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server's UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads.

[CVE-2025-66471] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.5:HIGH] urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.