[06/02/2026 09:47] PF faz operação no Amapá e aproxima Alcolumbre de fraude no Banco Master - oantagonista.com.br

[06/02/2026 12:52] Risco de superlotação preocupa PM para bloco da Ivete em São Paulo - Metrópoles

[06/02/2026 07:37] EUA ordenam que cidadãos deixem o Irã imediatamente - Revista Oeste

[06/02/2026 14:53] STF tem maioria para enquadrar caixa 2 como crime eleitoral e improbidade - UOL Notícias

[06/02/2026 06:36] Vale informa que 3 medidas judiciais relacionadas a extravasamentos somam R$ 2 bi - InfoMoney

[06/02/2026 06:02] Salários do Congresso podem chegar a R$ 61.800 com reajuste extra-teto - Poder360

[06/02/2026 07:11] Holanda devolve ao Egito escultura de 3.500 anos saqueada - UOL Notícias

[06/02/2026 14:15] EUA anunciam novas sanções petrolíferas ao Irã após rodada de negociações - UOL Economia

[05/02/2026 10:44] Com iguanas 'caindo do céu', moradores da Flórida tiram das ruas mais de 5 mil animais 'congelados' - Um só Planeta

[05/02/2026 23:00] EUA dizem que governo de Cuba "está nas últimas": "Deveriam ser cautelosos" - CNN Brasil

[CVE-2025-11550] [Modified: 20-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.

[CVE-2025-11551] [Modified: 20-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-60267] [Modified: 16-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] In xckk v9.6, there is a SQL injection vulnerability in which the cond parameter in notice/list is not securely filtered, resulting in a SQL injection vulnerability.

[CVE-2025-11552] [Modified: 23-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was identified in code-projects Online Complaint Site 1.0. This impacts an unknown function of the file /admin/category.php. Such manipulation of the argument Category leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2025-4614] [Modified: 06-02-2026] [Analyzed] [V3.1 S2.7:LOW] An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked.   The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

[CVE-2025-4615] [Modified: 22-10-2025] [Analyzed] [V3.1 S7.2:HIGH] An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

[CVE-2025-55200] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.1:HIGH] BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.

[CVE-2025-11553] [Modified: 20-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in code-projects Courier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-courier.php. Executing manipulation of the argument Shippername can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-11554] [Modified: 21-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited permissions. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

[CVE-2025-60316] [Modified: 16-10-2025] [Analyzed] [V3.1 S9.4:CRITICAL] SourceCodester Pet Grooming Management Software 1.0 is vulnerable to SQL Injection in admin/view_customer.php via the ID parameter.

[CVE-2025-11555] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was detected in Campcodes Online Learning Management System 1.0. This affects an unknown part of the file /admin/calendar_of_events.php. The manipulation of the argument date_start results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.

[CVE-2025-11556] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in code-projects Simple Leave Manager 1.0. This vulnerability affects unknown code of the file /user.php. This manipulation of the argument table causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

[CVE-2025-11557] [Modified: 20-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in projectworlds Gate Pass Management System 1.0. This issue affects some unknown processing of the file /add-pass.php. Such manipulation of the argument fullname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-11558] [Modified: 23-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was found in code-projects E-Commerce Website 1.0. Impacted is an unknown function of the file /pages/user_index_search.php. Performing manipulation of the argument Search results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

[CVE-2025-35050] [Modified: 09-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. The vulnerable endpoint is used by Newforma Project Center Server (NPCS), so a compromised NIX system can be used to attack an associated NPCS system. To mitigate this vulnerability, restrict network access to the '/remoteweb/remote.rem' endpoint, for example using the IIS URL Rewrite Module.

[CVE-2025-35051] [Modified: 09-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS.

[CVE-2025-35052] [Modified: 22-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Newforma Info Exchange (NIX) uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shared across NIX installations. NIX 2023.3 and 2024.1 limit the use of hard-coded keys.

[CVE-2025-35053] [Modified: 22-10-2025] [Analyzed] [V3.1 S6.4:MEDIUM] Newforma Info Exchange (NIX) accepts requests to '/UserWeb/Common/MarkupServices.ashx' specifying the 'DownloadExportedPDF' command that allow an authenticated user to read and delete arbitrary files with 'NT AUTHORITY\NetworkService' privileges. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability.

[CVE-2025-35054] [Modified: 22-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources.

[CVE-2025-35055] [Modified: 22-10-2025] [Analyzed] [V3.1 S8.8:HIGH] Newforma Info Exchange (NIX) '/UserWeb/Common/UploadBlueimp.ashx' allows an authenticated attacker to upload an arbitrary file to any location writable by the NIX application. An attacker can upload and run a web shell or other content executable by the web server. An attacker can also delete directories. In Newforma before 2023.1, anonymous access is enabled by default (CVE-2025-35062), allowing an otherwise unauthenticated attacker to effectively authenticate as 'anonymous' and exploit this file upload vulnerability.