[25/03/2026 19:32] STF unifica teto salarial e limita penduricalhos no Judiciário e no MP - Correio Braziliense

[25/03/2026 17:43] Irã rejeita plano dos EUA para fim da guerra; Pentágono confirma envio de tropas paraquedistas à região - BBC

[25/03/2026 04:30] Governador em exercício, Ricardo Couto planeja reduzir secretarias e pedir investigação se encontrar irregularidades - O Globo

[25/03/2026 17:58] Senador é autuado por dirigir sem placa, com giroflex e CNH vencida em SP - CNN Brasil

[25/03/2026 08:35] STF deve rejeitar decisão de Mendonça sobre prorrogação da CPMI do INSS - Revista Oeste

[25/03/2026 13:09] Advogado de Bolsonaro passa a comandar a defesa do cunhado de Vorcaro - CartaCapital

[25/03/2026 20:28] Senado aprova a criação do “vicaricídio” e a inclusão na Lei Maria da Penha - CNN Brasil

[25/03/2026 14:47] Escolas terão conteúdos de prevenção à violência contra a mulher - Agência Brasil

[25/03/2026 11:48] CEO da Embraer fala em exportar caça supersônico produzido no Brasil - Poder360

[25/03/2026 10:18] Flávio Bolsonaro lidera 2º turno contra Lula, dentro da margem de erro - Correio Braziliense

[CVE-2025-59390] [Modified: 04-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

[CVE-2025-62728] [Modified: 04-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.

[CVE-2025-13674] [Modified: 03-12-2025] [Analyzed] [V3.1 S5.5:MEDIUM] BPv7 dissector crash in Wireshark 4.6.0 allows denial of service

[CVE-2025-50399] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password.

[CVE-2025-50402] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password.

[CVE-2025-63938] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

[CVE-2025-65235] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.

[CVE-2025-65236] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.

[CVE-2025-65237] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.

[CVE-2025-65238] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.

[CVE-2025-65239] [Modified: 30-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.

[CVE-2025-11461] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

[CVE-2025-2486] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

[CVE-2025-55469] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.

[CVE-2025-55471] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.

[CVE-2025-26155] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

[CVE-2025-65669] [Modified: 03-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.

[CVE-2025-65672] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

[CVE-2025-65675] [Modified: 05-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.

[CVE-2025-65676] [Modified: 03-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.