[18/03/2026 19:57] Viúva de homem morto no Morro dos Prazeres nega troca de tiros e diz que não houve reféns em ação da PM - O Globo

[18/03/2026 12:44] Petróleo passa US$ 110 no pós-mercado após Catar afirmar ataques do Irã - CNN Brasil

[18/03/2026 17:36] Defesa de Vorcaro se reuniu com Mendonça para tratar de delação - Poder360

[18/03/2026 22:37] Gasolina aumentou porque muita gente tira proveito da desgraça, diz Lula - CNN Brasil

[19/03/2026 06:49] “Não vou trocar sexo por moradia”, disse PM Gisele ao sugerir separação - CNN Brasil

[18/03/2026 18:55] Inteligência americana contradiz Trump sobre alcance de mísseis iranianos e enriquecimento de urânio de República Islâmica - O Globo

[19/03/2026 03:31] Flávio Bolsonaro apoia Moro para governo do Paraná - Poder360

[18/03/2026 20:36] PF diz a STF que CPMI restaurou dados de Vorcaro que haviam sido apagados - CNN Brasil

[18/03/2026 16:39] Lula assina decretos de regulamentação do ECA Digital; veja o que muda - Metrópoles

[18/03/2026 22:23] Câmara aprova alteração do nome da Rua Peixoto Gomide em SP - CNN Brasil

[CVE-2025-13206] [Modified: 26-11-2025] [Analyzed] [V3.1 S7.2:HIGH] The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability.

[CVE-2025-11446] [Modified: 02-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.2.0 before 5.2.12.

[CVE-2025-11230] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.

[CVE-2025-58412] [Modified: 20-11-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL.

[CVE-2025-64408] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.  This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue.

[CVE-2025-63218] [Modified: 12-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63219] [Modified: 12-01-2026] [Analyzed] [V3.1 S7.5:HIGH] The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity.

[CVE-2025-63243] [Modified: 12-01-2026] [Analyzed] [V3.1 S4.6:MEDIUM] A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks.

[CVE-2025-13396] [Modified: 20-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in code-projects Courier Management System 1.0. This affects an unknown function of the file /add-office.php. This manipulation of the argument OfficeName causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-13397] [Modified: 01-12-2025] [Analyzed] [V3.1 S3.3:LOW] A security vulnerability has been detected in mrubyc up to 3.4. This impacts the function mrbc_raw_realloc of the file src/alloc.c. Such manipulation of the argument ptr leads to null pointer dereference. An attack has to be approached locally. The name of the patch is 009111904807b8567262036bf45297c3da8f1c87. It is advisable to implement a patch to correct this issue.

[CVE-2025-63220] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.2:HIGH] The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

[CVE-2025-63221] [Modified: 12-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63223] [Modified: 15-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63224] [Modified: 15-01-2026] [Analyzed] [V3.1 S10.0:CRITICAL] The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

[CVE-2025-63878] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page.

[CVE-2025-63879] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter.

[CVE-2025-65022] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda request parameter, which is directly concatenated into multiple SQL queries without proper sanitization. This issue has been patched in commit b473f92.

[CVE-2025-65023] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3.

[CVE-2025-65024] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a.

[CVE-2025-12766] [Modified: 01-12-2025] [Analyzed] [V3.1 S5.0:MEDIUM] An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System (IWS).