[15/01/2026 13:45] Mariana Barbosa: Primeiro sócio de Vorcaro na Faria Lima revela origem fraudulenta do Master - UOL Economia

[15/01/2026 15:00] Banco Master foi ‘eixo’ de mega reunião de Lula com ministros, Judiciário e Ministério Público - Valor Econômico

[15/01/2026 10:41] Trump ameaça intervenção militar em Minnesota - ICL Notícias

[15/01/2026 03:30] Emendas são usadas para abastecer ONGs sem sede, funcionários ou capacidade para executar projetos - O Globo

[15/01/2026 15:38] Trump recebe María Corina Machado enquanto consolida diálogo com Caracas - CartaCapital

[15/01/2026 14:11] Atualizações sobre o processamento de vistos de imigrante para nacionalidades com alto risco de uso de benefícios públicos - U.S. Embassy & Consulates in Brazil (.gov)

[15/01/2026 15:56] MP denuncia jovem que deixou amigo para trás em trilha e pede R$ 13 mil - CNN Brasil

[15/01/2026 18:25] Irmã de Ricardo Nunes é flagrada pelo Smart Sampa e presa com mandados em aberto por lesão corporal e desacato contra PM - G1

[15/01/2026 13:43] Receita Federal desmente Nikolas sobre Pix - Estado de Minas

[15/01/2026 17:42] Moraes autoriza Bolsonaro a ler livros para reduzir a pena da trama golpista - G1

[CVE-2025-10608] [Modified: 18-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was detected in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /enrollment-history/. Performing manipulation results in improper access controls. The attack is possible to be carried out remotely. The exploit is now public and may be used.

[CVE-2025-10613] [Modified: 20-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability has been found in itsourcecode Student Information System 1.0. The affected element is an unknown function of the file /leveledit1.php. Such manipulation of the argument level_id leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

[CVE-2025-56648] [Modified: 26-09-2025] [Analyzed] [V3.1 S6.5:MEDIUM] npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

[CVE-2025-59414] [Modified: 03-12-2025] [Analyzed] [V3.1 S3.1:LOW] Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.

[CVE-2025-10614] [Modified: 20-09-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was determined in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0 on COVID. This affects an unknown function of the file /print_reports_prev.php. Executing manipulation of the argument profile_id can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-10615] [Modified: 20-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was identified in itsourcecode E-Commerce Website 1.0. This impacts an unknown function of the file /admin/products.php. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit is publicly available and might be used.

[CVE-2025-59340] [Modified: 26-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.

[CVE-2025-59346] [Modified: 18-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0.

[CVE-2025-59347] [Modified: 18-09-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The Manager disables TLS certificate verification in HTTP clients. The clients are not configurable, so users have no way to re-enable the verification. A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the Manager. The Manager preheats with the wrong data, which later causes a denial of service and file integrity problems. This vulnerability is fixed in 2.1.0.

[CVE-2025-59348] [Modified: 18-09-2025] [Analyzed] [V3.1 S7.5:HIGH] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the processPieceFromSource method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. A task is processed by a peer. The usedTraffic metadata is not updated during the processing. Rate limiting is incorrectly applied, leading to a denial-of-service condition for the peer. This vulnerability is fixed in 2.1.0.

[CVE-2025-59349] [Modified: 18-09-2025] [Analyzed] [V3.1 S3.3:LOW] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0.

[CVE-2025-59350] [Modified: 18-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0.

[CVE-2025-59351] [Modified: 18-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the first return value of a function is dereferenced even when the function returns an error. This can result in a nil dereference, and cause code to panic. This vulnerability is fixed in 2.1.0.

[CVE-2025-59352] [Modified: 18-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.

[CVE-2025-59353] [Modified: 18-09-2025] [Analyzed] [V3.1 S7.5:HIGH] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. This vulnerability is fixed in 2.1.0.

[CVE-2025-59354] [Modified: 18-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0.

[CVE-2025-59410] [Modified: 18-09-2025] [Analyzed] [V3.1 S3.7:LOW] Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.

[CVE-2025-10616] [Modified: 20-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A security flaw has been discovered in itsourcecode E-Commerce Website 1.0. Affected is an unknown function of the file /admin/users.php. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited.

[CVE-2025-10617] [Modified: 20-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in SourceCodester Online Polling System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/positions.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-10618] [Modified: 20-09-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A security vulnerability has been detected in itsourcecode Online Clinic Management System 1.0. Affected by this issue is some unknown functionality of the file transact.php. Such manipulation of the argument firstname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Other parameters might be affected as well.