[28/04/2026 19:10] Lula libera R$ 11,7 bi em emendas perto de sabatina de Messias - Poder360

[28/04/2026 20:44] PF investiga entrada de malas sem passar pelo raio-x em voo de jatinho de dono de bets com Hugo Motta e Ciro Nogueira; veja fotos - Extra online

[28/04/2026 16:06] Motta anuncia presidente e relator do fim da escala 6×1 na comissão especial - CartaCapital

[28/04/2026 19:21] PF encontra R$ 233 mil debaixo da cama de auditor da Receita Federal - Metrópoles

[28/04/2026 14:24] Constantino sobre Cleitinho: ‘Fio desencapado, sem preparo’ - Estado de Minas

[28/04/2026 20:20] TSE torna Denarium inelegível e cassa mandato do governador de Roraima - Metrópoles

[28/04/2026 21:07] Moraes alfineta Zema e vê “escada eleitoral” em críticas ao STF - Poder360

[28/04/2026 11:01] A popularidade de Lula a 5 meses da eleição, segundo nova pesquisa Atlas - CartaCapital

[28/04/2026 18:04] PF devolve credenciais de agente dos EUA que atua no Brasil - O Antagonista

[28/04/2026 17:23] Alerta de geada: 79 municípios enfrentam frio de até 3°C e podem ‘congelar’; veja onde - ND Mais

[CVE-2025-15232] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

[CVE-2025-15102] [Modified: 06-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] DVP-12SE11T - Password Protection Bypass

[CVE-2025-15103] [Modified: 06-01-2026] [Analyzed] [V3.1 S8.1:HIGH] DVP-12SE11T - Authentication Bypass via Partial Password Disclosure

[CVE-2025-15358] [Modified: 06-01-2026] [Analyzed] [V3.1 S7.5:HIGH] DVP-12SE11T - Denial of Service Vulnerability

[CVE-2025-15359] [Modified: 05-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] DVP-12SE11T - Out-of-bound memory write Vulnerability

[CVE-2025-15244] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.7:LOW] A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used.

[CVE-2025-15245] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.5:LOW] A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-69092] [Modified: 29-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.

[CVE-2023-54207] [Modified: 26-02-2026] [Analyzed] [V3.1 S7.8:HIGH] In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string.

[CVE-2023-54285] [Modified: 26-02-2026] [Analyzed] [V3.1 S7.8:HIGH] In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly.

[CVE-2023-54321] [Modified: 26-02-2026] [Analyzed] [V3.1 S5.5:MEDIUM] In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential null-ptr-deref in device_add() I got the following null-ptr-deref report while doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+ RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x196/0x210 bus_remove_device+0x1bd/0x240 device_add+0xd3d/0x1100 w1_add_master_device+0x476/0x490 [wire] ds2482_probe+0x303/0x3e0 [ds2482] This is how it happened: w1_alloc_dev() // The dev->driver is set to w1_master_driver. memcpy(&dev->dev, device, sizeof(struct device)); device_add() bus_add_device() dpm_sysfs_add() // It fails, calls bus_remove_device. // error path bus_remove_device() // The dev->driver is not null, but driver is not bound. __device_release_driver() klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref. // normal path bus_probe_device() // It's not called yet. device_bind_driver() If dev->driver is set, in the error path after calling bus_add_device() in device_add(), bus_remove_device() is called, then the device will be detached from driver. But device_bind_driver() is not called yet, so it causes null-ptr-deref while access the 'knode_driver'. To fix this, set dev->driver to null in the error path before calling bus_remove_device().

[CVE-2025-15252] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.8:HIGH] A flaw has been found in Tenda M3 1.0.0.13(4903). The affected element is the function formSetRemoteDhcpForAp of the file /goform/setDhcpAP. This manipulation of the argument startip/endip/leasetime/gateway/dns1/dns2 causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used.

[CVE-2025-15253] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability has been found in Tenda M3 1.0.0.13(4903). The impacted element is an unknown function of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-61557] [Modified: 14-01-2026] [Analyzed] [V3.1 S7.5:HIGH] nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal.

[CVE-2025-64528] [Modified: 20-02-2026] [Analyzed] [V3.1 S5.3:MEDIUM] Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.

[CVE-2025-67746] [Modified: 25-02-2026] [Analyzed] [V3.1 S4.3:MEDIUM] Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.

[CVE-2025-15256] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-65925] [Modified: 13-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported.

[CVE-2025-66848] [Modified: 09-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability.

[CVE-2025-68618] [Modified: 06-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.