[04/03/2026 15:55] Irã ameaça atacar embaixadas de Israel em 'todo o mundo': 'Alvos legítimos' - UOL Notícias

[04/03/2026 16:34] Incluindo Nikolas, Vorcaro tinha 18 deputados e ex-deputados em seu celular; todos bolsonaristas - Revista Fórum

[04/03/2026 23:40] Irã lança nova onda de mísseis contra Israel durante a madrugada - CNN Brasil

[04/03/2026 20:08] Aumento gradual da licença-paternidade vai à sanção presidencial - Senado Federal

[04/03/2026 17:45] EUA e Israel reduziram em quase 90% o disparo de mísseis do Irã - Revista Oeste

[04/03/2026 16:41] Casa Branca diz que Espanha aceitou cooperar com exército dos EUA; governo espanhol nega - CartaCapital

[04/03/2026 20:14] PF diz que 'Sicário' de Vorcaro cometeu suicídio na prisão - G1

[04/03/2026 17:27] Estupro coletivo na Baixada Fluminense: polícia procura adolescente e quatro maiores - Extra online

[04/03/2026 21:14] Israel ataca alvos do Hezbollah em Beirute - CNN Brasil

[04/03/2026 17:27] Há quase uma semana sem poder sair do Catar, Miá Mello desabafa: ‘me sinto desamparada’ - O Globo

[CVE-2025-12735] [Modified: 10-02-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.

[CVE-2025-21071] [Modified: 07-11-2025] [Analyzed] [V3.1 S5.7:MEDIUM] Out-of-bounds write in handling opcode in fingerprint trustlet prior to SMR Nov-2025 Release 1 allows local privileged attackers to write out-of-bounds memory.

[CVE-2025-21073] [Modified: 07-11-2025] [Analyzed] [V3.1 S6.8:MEDIUM] Insecure default configuration in USB connection mode prior to SMR Nov-2025 Release 1 allows privileged physical attackers to access user data. User interaction is required for triggering this vulnerability.

[CVE-2025-21074] [Modified: 07-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Out-of-bounds read in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory.

[CVE-2025-21075] [Modified: 07-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Out-of-bounds write in libimagecodec.quram.so prior to SMR Nov-2025 Release 1 allows remote attackers to access out-of-bounds memory.

[CVE-2025-21076] [Modified: 07-11-2025] [Analyzed] [V3.1 S5.5:MEDIUM] Improper handling of insufficient permissions or privileges in Samsung Account prior to version 15.5.00.18 allows local attackers to access data in Samsung Account. User interaction is required for triggering this vulnerability.

[CVE-2025-21077] [Modified: 07-11-2025] [Analyzed] [V3.1 S3.3:LOW] Improper input validation in Samsung Email prior to version 6.2.06.0 allows local attackers to launch arbitrary activity with Samsung Email privilege.

[CVE-2025-21078] [Modified: 07-11-2025] [Analyzed] [V3.1 S8.8:HIGH] Use of insufficiently random value of secretKey in Smart Switch prior to version 3.7.68.6 allows adjacent attackers to access backup data from applications.

[CVE-2025-21079] [Modified: 07-11-2025] [Analyzed] [V3.1 S7.1:HIGH] Improper input validation in Samsung Members prior to version 5.5.01.3 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability.

[CVE-2025-12468] [Modified: 04-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.4.1 via the '/wc-coupons/' REST API endpoint. This is due to the endpoint being marked as a public API (`public_api = true`), which results in the endpoint being registered with `permission_callback => '__return_true'`, bypassing all authentication and capability checks. This makes it possible for unauthenticated attackers to extract sensitive data including all WooCommerce coupon codes, coupon IDs, and expiration status.

[CVE-2025-12469] [Modified: 04-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] The FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.4.1. This is due to the plugin not properly verifying that a user is authorized to perform administrative actions in the `bwfan_test_email` AJAX handler. The nonce used for verification is publicly exposed to all visitors (including unauthenticated users) via the frontend JavaScript localization, and the `check_nonce()` function accepts low-privilege authenticated users who possess this nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send arbitrary emails from the site with attacker-controlled subject and body content.

[CVE-2025-58337] [Modified: 12-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

[CVE-2025-3125] [Modified: 04-12-2025] [Analyzed] [V3.1 S6.7:MEDIUM] An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

[CVE-2025-46404] [Modified: 07-11-2025] [Analyzed] [V3.1 S7.5:HIGH] A denial of service vulnerability exists in the lasso_provider_verify_saml_signature functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

[CVE-2025-46705] [Modified: 07-11-2025] [Analyzed] [V3.1 S7.5:HIGH] A denial of service vulnerability exists in the g_assert_not_reached functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML assertion response can lead to a denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

[CVE-2025-46784] [Modified: 07-11-2025] [Analyzed] [V3.1 S7.5:HIGH] A denial of service vulnerability exists in the lasso_node_init_from_message_with_format functionality of Entr'ouvert Lasso 2.5.1. A specially crafted SAML response can lead to a memory depletion, resulting in denial of service. An attacker can send a malformed SAML response to trigger this vulnerability.

[CVE-2025-47151] [Modified: 07-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.

[CVE-2025-64458] [Modified: 10-11-2025] [Analyzed] [V3.1 S7.5:HIGH] An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

[CVE-2025-64459] [Modified: 10-11-2025] [Analyzed] [V3.1 S9.1:CRITICAL] An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

[CVE-2025-57130] [Modified: 02-02-2026] [Analyzed] [V3.1 S8.3:HIGH] An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators.