[27/02/2026 10:56] Bacellar tinha lista de nomes para compor secretariado em possível governo; deputado era tido como sucessor de Cláudio Castro - G1

[26/02/2026 21:27] Estudo da Unicamp estima até 4,5 milhões de empregos com redução da jornada - UOL Economia

[26/02/2026 15:06] MG reduziu em 95% o orçamento para chuva; governo alega nova contabilidade - CNN Brasil

[27/02/2026 13:32] Ciclone se forma na costa do Sudeste, reforça umidade e trará chuva intensa - MetSul Meteorologia

[26/02/2026 21:52] PF filtra dados de Vorcaro antes de repassar à CPMI do INSS - O Antagonista

[27/02/2026 06:30] México: como foi a operação que matou o líder do narcotráfico - Revista Oeste

[27/02/2026 07:54] Pai de Duda Freire, melhor amiga de Virginia, é preso em Goiânia - Metrópoles

[27/02/2026 08:10] Família Camisotti recebeu 5 vezes mais que o Careca do INSS, diz relator da CPMI - O Antagonista

[27/02/2026 09:03] China aconselha seus cidadãos a deixarem o Irã 'o mais rápido possível' - UOL Notícias

[27/02/2026 07:46] EUA recomendam retirada de funcionários de Embaixada em Israel por 'riscos de segurança'; Irã pede fim de 'exigências excessivas' - O Globo

[CVE-2025-60319] [Modified: 09-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java).

[CVE-2025-62726] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.

[CVE-2025-62795] [Modified: 12-11-2025] [Analyzed] [V3.1 S7.1:HIGH] JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.

[CVE-2025-62266] [Modified: 11-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.

[CVE-2025-64115] [Modified: 08-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.

[CVE-2025-64116] [Modified: 08-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.

[CVE-2025-36137] [Modified: 12-12-2025] [Analyzed] [V3.1 S7.2:HIGH] IBM Sterling Connect Direct for Unix 6.2.0.7 through 6.2.0.9 iFix004, 6.4.0.0 through 6.4.0.2 iFix001, and 6.3.0.2 through 6.3.0.5 iFix002 incorrectly assigns permissions for maintenance tasks to Control Center Director (CCD) users that could allow a privileged user to escalate their privileges further due to unnecessary privilege assignment for post update scripts.

[CVE-2025-52180] [Modified: 22-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.

[CVE-2025-62265] [Modified: 11-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.

[CVE-2025-63298] [Modified: 06-11-2025] [Analyzed] [V3.1 S8.2:HIGH] A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server or underlying operating system.

[CVE-2025-3355] [Modified: 07-11-2025] [Analyzed] [V3.1 S7.5:HIGH] IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

[CVE-2025-3356] [Modified: 07-11-2025] [Analyzed] [V3.1 S8.6:HIGH] IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 21 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view, overwrite, or append to arbitrary files on the system.

[CVE-2025-61498] [Modified: 08-12-2025] [Analyzed] [V3.1 S7.5:HIGH] A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet.

[CVE-2025-8850] [Modified: 19-11-2025] [Analyzed] [V3.1 S8.8:HIGH] In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

[CVE-2011-10035] [Modified: 06-11-2025] [Analyzed] [V3.1 S7.0:HIGH] Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges.

[CVE-2011-10036] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the handling of the "backend_url" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

[CVE-2011-10038] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

[CVE-2011-10039] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the Alert Heatmap report and the “My Reports” listing of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

[CVE-2011-10040] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting (XSS) via the link-handling functions used by status and report pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

[CVE-2012-10063] [Modified: 06-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.