[07/02/2026 12:41] Mulher morre após queda de andaime em Copacabana, no Rio - CBN

[07/02/2026 04:00] 'Penduricalhos' têm cerca de 3 mil nomes diferentes, indica levantamento da Transparência Brasil - O Globo

[07/02/2026 03:55] Movimentos pedem que Lula vete penduricalhos de servidores - Correio Braziliense

[07/02/2026 03:00] Jovem relatou ameaça do ministro Buzzi após assédio sexual na praia - Metrópoles

[07/02/2026 16:02] Município do Rio de Janeiro entrou no Estágio 2 às 16h00 deste sábado, dia 7 de fevereiro de 2026 - Centro de Operações Rio

[07/02/2026 12:38] Pré-carnaval: Bloco Mama na Vaca esquenta a manhã de sábado (7) nas ladeiras do bairro Santo Antônio - O TEMPO

[07/02/2026 12:41] “A política apodreceu”, diz Lula, no aniversário do PT - Brasil 247

[07/02/2026 07:57] Governo Trump deu prazo até junho para que Rússia e Ucrânia encerrem guerra, diz Zelensky - G1

[07/02/2026 09:04] Alvo de Trump, Harvard perderá laços acadêmicos com o Pentágono - UOL Notícias

[07/02/2026 07:07] Caso Epstein: Bill e Hillary Clinton solicitam depoimento público no Congresso dos EUA - O Globo

[CVE-2025-11580] [Modified: 27-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-11616] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A missing validation check in FreeRTOS-Plus-TCP's ICMPv6 packet processing code can lead to an out-of-bounds read when receiving ICMPv6 packets of certain message types which are smaller than the expected size. These issues only affect applications using IPv6. Users should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.

[CVE-2025-11617] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header. This issue only affects applications using IPv6. We recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.

[CVE-2025-11618] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header. This issue only affects applications using IPv6. We recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.

[CVE-2025-60268] [Modified: 16-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An arbitrary file upload vulnerability exists in JeeWMS 20250820, which is caused by the lack of file checking in the saveFiles function in /jeewms/cgUploadController.do. An attacker with normal privileges was able to upload a malicious file that would lead to remote code execution.

[CVE-2025-60838] [Modified: 28-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An arbitrary file upload vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary code via uploading a crafted file.

[CVE-2025-11581] [Modified: 27-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

[CVE-2025-60880] [Modified: 08-01-2026] [Analyzed] [V3.1 S8.3:HIGH] An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

[CVE-2025-61505] [Modified: 12-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

[CVE-2025-11582] [Modified: 23-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was detected in code-projects Online Job Search Engine 1.0. This issue affects some unknown processing of the file /registration.php. Performing manipulation of the argument txtusername results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

[CVE-2025-11583] [Modified: 23-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A flaw has been found in code-projects Online Job Search Engine 1.0. Impacted is an unknown function of the file /postjob.php. Executing manipulation of the argument txtjobID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

[CVE-2025-61919] [Modified: 03-11-2025] [Analyzed] [V3.1 S7.5:HIGH] Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).

[CVE-2025-61921] [Modified: 31-10-2025] [Analyzed] [V3.1 S7.5:HIGH] Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response. Carefully crafted input can cause `If-Match` and `If-None-Match` header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the `ETag` header value. Any applications that use the `etag` method when generating a response are impacted. Version 4.2.0 fixes the issue.

[CVE-2025-61925] [Modified: 04-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.

[CVE-2025-61929] [Modified: 04-12-2025] [Analyzed] [V3.1 S9.6:CRITICAL] Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called `cherrystudio://`. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files `src/main/services/ProtocolClient.ts` and `src/main/services/urlschema/mcp-install.ts`, when receiving a URL of the `cherrystudio://mcp` type, the `handleMcpProtocolUrl` function is called for processing. If an attacker crafts malicious content and posts it on a website or elsewhere (there are many exploitation methods, such as creating a malicious website with a button containing this malicious content), when the user clicks it, since the pop-up window contains normal content, the direct click is considered a scene action, and the malicious command is directly triggered, leading to the user being compromised. As of time of publication, no known patched versions exist.

[CVE-2025-61930] [Modified: 20-10-2025] [Analyzed] [V3.1 S8.1:HIGH] Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.

[CVE-2025-62158] [Modified: 20-10-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.

[CVE-2025-62245] [Modified: 12-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.

[CVE-2025-11584] [Modified: 23-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability has been found in code-projects Online Job Search Engine 1.0. The affected element is an unknown function of the file /searchjob.php. The manipulation of the argument txtspecialization leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

[CVE-2025-11585] [Modified: 23-10-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was found in code-projects Project Monitoring System 1.0. The impacted element is an unknown function of the file /useredit.php. The manipulation of the argument uid results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.