[16/02/2026 13:23] Porto Alegre pode voltar a ter chuva forte localizada neste início de semana - MetSul Meteorologia

[16/02/2026 03:55] Escala 6x1: redução da jornada entra em debate decisivo após carnaval - Correio Braziliense

[16/02/2026 13:23] Segundo tornado em poucos dias provoca estragos no Sul gaúcho - MetSul Meteorologia

[16/02/2026 08:35] Os taxistas e a honra dos desonrados — por Flávio Gordon - Revista Oeste

[16/02/2026 05:41] Lula afirma que “a verdade vai destruir a mentira” em 2026 - Brasil 247

[16/02/2026 06:00] 'Eventos da cultura estão sendo engolidos pela cultura do evento' - Correio Braziliense

[16/02/2026 09:20] Ônibus capota na BR-153, e seis pessoas morrem no interior de São Paulo - Jovem Pan

[16/02/2026 12:33] Passageiro gravou o momento em que piloto da LATAM informa o que aconteceu para que a decolagem fosse abortada - AEROIN

[16/02/2026 13:33] Sindicatos da Argentina convocam greve geral contra reforma trabalhista - CNN Brasil

[15/02/2026 15:36] Israel volta a registrar terras na Cisjordânia e provoca acusação de anexação - Jovem Pan

[CVE-2025-11914] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-62642] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.

[CVE-2025-62643] [Modified: 31-10-2025] [Analyzed] [V3.1 S3.4:LOW] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 transmits passwords of user accounts in cleartext e-mail messages.

[CVE-2025-62644] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.

[CVE-2025-62645] [Modified: 04-11-2025] [Analyzed] [V3.1 S9.9:CRITICAL] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

[CVE-2025-62646] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.

[CVE-2025-62647] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.0:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.

[CVE-2025-62648] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.

[CVE-2025-62649] [Modified: 06-11-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.

[CVE-2025-62650] [Modified: 31-10-2025] [Analyzed] [V3.1 S8.3:HIGH] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.

[CVE-2025-62651] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.

[CVE-2017-20206] [Modified: 23-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20207] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

[CVE-2017-20208] [Modified: 19-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.

[CVE-2025-10006] [Modified: 26-11-2025] [Analyzed] [V3.1 S6.4:MEDIUM] The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed.

[CVE-2025-11938] [Modified: 27-10-2025] [Analyzed] [V3.1 S5.6:MEDIUM] A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11939] [Modified: 27-10-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11941] [Modified: 12-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11942] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in 70mai X200 up to 20251010. Affected is an unknown function of the component Pairing. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11943] [Modified: 17-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in 70mai X200 up to 20251010. Affected by this vulnerability is an unknown functionality of the component HTTP Web Server. The manipulation leads to use of default credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.