[14/02/2026 07:32] Polícia Civil prende cunhado do traficante Fernandinho Beira-Mar - O Dia

[13/02/2026 16:31] PF viu uso de empresa de espionagem Black Wall pelo Master - Poder360

[14/02/2026 10:17] CPI vota quebra de sigilo de empresa ligada a Toffoli - O Antagonista

[14/02/2026 08:28] Merz cita ordem mundial ‘sob destruição’ e acena ao Brasil - CartaCapital

[14/02/2026 09:28] 'A degradação que emana do STF é a maior ameaça à democracia' - Revista Oeste

[14/02/2026 14:06] Após fala de Flávio, Michelle diz que entrega futuro político "a Deus" - CNN Brasil

[14/02/2026 14:50] Um em cada quatro blocos previstos não vai sair em BH - Estado de Minas

[14/02/2026 05:03] Sobe o nível de alerta por chuva forte a intensa em Santa Catarina - MetSul Meteorologia

[14/02/2026 13:56] Chef de cozinha denuncia crime de discriminação a cadeirante em BH - Estado de Minas

[14/02/2026 12:38] Justiça manda deputado se retratar por montagem de Bolsonaro com Vorcaro - CNN Brasil

[CVE-2025-57164] [Modified: 23-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field.

[CVE-2025-62419] [Modified: 24-10-2025] [Analyzed] [V3.1 S7.5:HIGH] DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

[CVE-2025-62420] [Modified: 24-10-2025] [Analyzed] [V3.1 S8.8:HIGH] DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

[CVE-2025-62421] [Modified: 24-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/{fileId} that uses a URL path parameter where both the filename and extension of uploaded files are controllable by users. During permission validation, the TokenFilter invokes the WhitelistUtils#match method to determine if the URL path is in the allowlist. If the requestURI ends with .js or similar extensions, it is directly deemed safe and bypasses permission checks. This allows an attacker to access "upload/1.js" while specifying arbitrary file extensions, enabling the upload of HTML files containing malicious JavaScript. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

[CVE-2025-62422] [Modified: 24-10-2025] [Analyzed] [V3.1 S8.8:HIGH] DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in version 2.10.14. No known workarounds exist.

[CVE-2025-62424] [Modified: 10-11-2025] [Analyzed] [V3.1 S6.7:MEDIUM] ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, the /admin_area/template_editor.php endpoint is vulnerable to path traversal. The validation of the file-loading path is inadequate, allowing authenticated administrators to read and write arbitrary files outside the intended template directory by inserting path traversal sequences into the folder parameter. An attacker with administrator privileges can exploit this vulnerability to read sensitive files such as /etc/passwd and modify writable files on the system, potentially leading to sensitive information disclosure and compromise of the application or server. This issue is fixed in version 5.5.2 - #147.

[CVE-2025-62430] [Modified: 10-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 #145 allows stored cross-site scripting (XSS) in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept user supplied values without adequate sanitization. For photos the Photo Title and Photo Tags fields accept user supplied values without adequate sanitization. A regular user who can edit a video or photo can inject script (for example by supplying a value such as a closing delimiter followed by a script element). The injected script executes when any user, including an unauthenticated visitor or an administrator, views the affected video or photo page. Although cookies are set with the HttpOnly attribute and cannot be read directly, the injected script can issue fetch requests to endpoints such as admin_area pages and exfiltrate their contents or trigger unintended actions. Version 5.5.2 build #146 and later contain a fix. Update to build 5.5.2 #146 or later. No known workarounds exist.

[CVE-2025-11908] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11909] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The impacted element is the function queryLast of the file /RepairRecord.do?Action=QueryLast. Executing manipulation of the argument orderField can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-34282] [Modified: 24-10-2025] [Analyzed] [V3.1 S9.1:CRITICAL] ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

[CVE-2025-56218] [Modified: 27-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.

[CVE-2025-56221] [Modified: 27-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.

[CVE-2025-56316] [Modified: 28-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering.

[CVE-2025-11910] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11911] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11912] [Modified: 31-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11913] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-11925] [Modified: 07-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Incorrect Content-Type header in one of the APIs (`text/html` instead of `application/json`) replies may potentially allow injection of HTML/JavaScript into reply.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

[CVE-2025-11914] [Modified: 31-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-62642] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.8:MEDIUM] The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.