Current Conditions
São Paulo
nuvens quebradas

23 ℃
78%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 15:30:01
  1. [USD] USD 89,264.82
  1. [BRL] BRL 472,107.78 [USD] USD 89,264.82 [GBP] GBP 65,419.42 [EUR] EUR 75,462.69
    Price index provided by blockchain.info.
  2. Bitcoin Core version 30.2 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-11019] [Modified: 16-01-2026] [Analyzed] [V3.1 S2.4:LOW] A vulnerability has been found in Total.js CMS up to 19.9.0. This impacts an unknown function of the component Files Menu. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-11026] [Modified: 08-10-2025] [Analyzed] [V3.1 S3.5:LOW] A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."

[CVE-2025-36274] [Modified: 11-12-2025] [Analyzed] [V3.1 S7.5:HIGH] IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.

[CVE-2025-36326] [Modified: 03-10-2025] [Analyzed] [V3.1 S3.7:LOW] IBM Cognos Controller 11.0.0 through 11.0.1, and IBM Controller 11.1.0 through 11.1.1 could allow an attacker to obtain sensitive information due to the use of hardcoded cryptographic keys for signing session cookies.

[CVE-2025-55187] [Modified: 08-10-2025] [Analyzed] [V3.1 S9.9:CRITICAL] In DriveLock 24.1.4 before 24.1.5, 24.2.5 before 24.2.6, and 25.1.2 before 25.1.4, attackers can gain elevated privileges.

[CVE-2025-57292] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata.

[CVE-2025-11027] [Modified: 07-10-2025] [Analyzed] [V3.1 S2.4:LOW] A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."

[CVE-2025-11028] [Modified: 07-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."

[CVE-2025-56463] [Modified: 07-10-2025] [Analyzed] [V3.1 S6.8:MEDIUM] Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure.

[CVE-2025-58385] [Modified: 07-10-2025] [Analyzed] [V3.1 S7.1:HIGH] In DOXENSE WATCHDOC before 6.1.0.5094, private user puk codes can be disclosed for Active Directory registered users (there is hard-coded and predictable data).

[CVE-2025-59362] [Modified: 07-10-2025] [Analyzed] [V3.1 S4.0:MEDIUM] Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.

[CVE-2025-59842] [Modified: 22-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.

[CVE-2025-59843] [Modified: 08-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the public endpoint /api/user/[username] returns user email addresses in its JSON response. The problem has been patched in FlagForge version 2.3.1. The fix removes email addresses from public API responses while keeping the endpoint publicly accessible. Users should upgrade to version 2.3.1 or later to eliminate exposure. There are no workarounds for this vulnerability.

[CVE-2025-11029] [Modified: 07-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."

[CVE-2025-11031] [Modified: 07-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A flaw has been found in DataTables up to 1.10.13. The affected element is an unknown function of the file /examples/resources/examples.php. This manipulation of the argument src causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 1.10.15 is sufficient to fix this issue. Patch name: 3b24f99ac4ddb7f9072076b0d07f0b1a408f177a. Upgrading the affected component is advised. This vulnerability was initially reported for code-projects Faculty Management System but appears to affect DataTables as an upstream component instead. The vendor of DataTables explains: "I would suggest that the author upgrade to the latest versions of DataTables (actually, they shouldn't really be deploying that file to their own server at all - it is only relevant for the DataTables examples)."

[CVE-2025-26258] [Modified: 06-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Sourcecodester Employee Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via 'Add Designation.'

[CVE-2025-55848] [Modified: 03-10-2025] [Analyzed] [V3.1 S8.8:HIGH] An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of reverse connection commands.

[CVE-2025-11032] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. This issue affects some unknown processing of the file /Profilers/PriProfile/COUNT3s6.php. Executing manipulation of the argument CPU can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

[CVE-2025-11033] [Modified: 08-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Impacted is an unknown function of the file /Profilers/PriProfile/COUNT3s7.php. The manipulation of the argument cbe leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

[CVE-2025-45994] [Modified: 03-10-2025] [Analyzed] [V3.1 S7.5:HIGH] An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1.