[19/02/2026 09:46] Fundador do Grupo Capoeira Brasil é assassinado a tiro em Niterói - O Globo

[19/02/2026 05:44] Fim da escala 6x1: consumidor rejeitará mudança quando entender que vai pagar a conta, diz presidente de associação de bares e restaurantes - BBC

[19/02/2026 03:55] Servidor tem aumento, mas fica sem penduricalhos - Correio Braziliense

[19/02/2026 15:05] O que tinha em cofre com R$ 1 mi furtado de joalheria de influencers em SP - UOL Notícias

[19/02/2026 12:24] Risco elevado de vendavais intensos com danos no Rio Grande do Sul - MetSul Meteorologia

[19/02/2026 09:38] PCC tem até ‘código de conduta’ nas redes sociais aos faccionados - Jovem Pan

[18/02/2026 22:26] Vídeo! Chefe do tráfico é preso durante passeio de barco na Região dos Lagos - O Dia

[19/02/2026 11:27] Master: irritações, medos, desconfianças e certezas no STF - Metrópoles

[19/02/2026 09:20] CV executa suspeitos de matar menina de 8 anos em assalto para evitar operações - Jornal Correio

[19/02/2026 13:53] PL Antifacção tranca pauta da Câmara dos Deputados - O Antagonista

[CVE-2025-60336] [Modified: 24-10-2025] [Analyzed] [V3.1 S7.5:HIGH] A NULL pointer dereference in the sub_41773C function of TOTOLINK N600R v4.3.0cu.7866_B20220506 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

[CVE-2025-60343] [Modified: 24-10-2025] [Analyzed] [V3.1 S7.5:HIGH] Multiple buffer overflows in the AdvSetMacMtuWan function of Tenda AC6 v.15.03.06.50 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the wanMTU, wanSpeed, cloneType, mac, serviceName, serverName, wanMTU2, wanSpeed2, cloneType2, mac2, serviceName2, and serverName2 parameters.

[CVE-2025-62248] [Modified: 11-12-2025] [Analyzed] [V3.1 S4.8:MEDIUM] A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.

[CVE-2025-62247] [Modified: 11-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

[CVE-2025-62513] [Modified: 27-10-2025] [Analyzed] [V3.1 S7.5:HIGH] OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, resulting in short-lived ACME verification challenge codes being leaked in the audit logs. Additionally, this impacts those using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use. This issue has been patched in OpenBao 2.4.2.

[CVE-2025-62610] [Modified: 04-02-2026] [Analyzed] [V3.1 S8.1:HIGH] Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud (Audience) verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid token that was issued for a different audience (e.g., another service) when multiple services share the same issuer/keys. This can lead to unintended cross-service access. Hono’s docs list verification options for iss/nbf/iat/exp only, with no aud support; RFC 7519 requires that when an aud claim is present, tokens MUST be rejected unless the processing party identifies itself in that claim. This issue has been patched in version 4.10.2.

[CVE-2025-62612] [Modified: 29-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1.

[CVE-2025-62617] [Modified: 30-10-2025] [Analyzed] [V3.1 S7.2:HIGH] Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17.

[CVE-2025-62705] [Modified: 27-10-2025] [Analyzed] [V3.1 S4.9:MEDIUM] OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched in OpenBao 2.4.2.

[CVE-2025-62707] [Modified: 27-10-2025] [Analyzed] [V3.1 S7.5:HIGH] pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.

[CVE-2025-62708] [Modified: 27-10-2025] [Analyzed] [V3.1 S7.5:HIGH] pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

[CVE-2025-62710] [Modified: 30-10-2025] [Analyzed] [V3.1 S5.9:MEDIUM] Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

[CVE-2025-12104] [Modified: 07-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Outdated and Vulnerable UI Dependencies might potentially lead to exploitation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

[CVE-2025-54806] [Modified: 12-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] GROWI v4.2.7 and earlier contains a cross-site scripting vulnerability in the page alert function. If a user accesses a crafted URL while logged in to the affected product, an arbitrary script may be executed on the user's web browser.

[CVE-2025-9980] [Modified: 17-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

[CVE-2025-9981] [Modified: 17-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

[CVE-2025-40643] [Modified: 31-10-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.

[CVE-2025-41073] [Modified: 30-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the “direstudio” parameter in “/encuestas/integraweb[_v4]/integra/html/view/comprimir.php”.

[CVE-2025-62393] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

[CVE-2025-62394] [Modified: 14-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.