[19/03/2026 10:54] Gilmar anula quebra de sigilo de fundo ligado ao resort Tayayá e critica atuação de CPI - CartaCapital

[19/03/2026 01:00] Traficante Jiló dos Prazeres ganhava percentual por cada roubo de carro e até por clonagem de veículos - G1

[19/03/2026 10:46] PM morta alegava traição de marido tenente-coronel; veja mensagens - CNN Brasil

[19/03/2026 09:30] Daniela Lima: Combo do Apocalipse: defesa de Vorcaro e da Reag deve propor duas delações - UOL Notícias

[19/03/2026 03:30] Caso Master e Lulinha levam PT e Centrão a atuarem para sepultar CPI do INSS - O Globo

[19/03/2026 10:31] Dino manda Carlos Viana e Senado explicarem envio de R$ 3,6 milhões via 'emendas PIX' para fundação da Lagoinha - G1

[19/03/2026 14:29] Lula anuncia Dario Durigan como substituto de Fernando Haddad no Ministério da Fazenda - Valor Econômico

[18/03/2026 22:19] Deputada do PL faz blackface na Alesp para criticar Erika Hilton - Agência Brasil

[19/03/2026 05:30] Master e JBS repassaram R$ 18 milhões a consultoria que pagou filho de Nunes Marques - Estadão

[19/03/2026 09:28] Alcolumbre rebate fala de Valdemar e o chama de “mitômano” - Poder360

[CVE-2025-63218] [Modified: 12-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63219] [Modified: 12-01-2026] [Analyzed] [V3.1 S7.5:HIGH] The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity.

[CVE-2025-63243] [Modified: 12-01-2026] [Analyzed] [V3.1 S4.6:MEDIUM] A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks.

[CVE-2025-13396] [Modified: 20-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in code-projects Courier Management System 1.0. This affects an unknown function of the file /add-office.php. This manipulation of the argument OfficeName causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-13397] [Modified: 01-12-2025] [Analyzed] [V3.1 S3.3:LOW] A security vulnerability has been detected in mrubyc up to 3.4. This impacts the function mrbc_raw_realloc of the file src/alloc.c. Such manipulation of the argument ptr leads to null pointer dereference. An attack has to be approached locally. The name of the patch is 009111904807b8567262036bf45297c3da8f1c87. It is advisable to implement a patch to correct this issue.

[CVE-2025-63220] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.2:HIGH] The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

[CVE-2025-63221] [Modified: 12-01-2026] [Analyzed] [V3.1 S9.1:CRITICAL] The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63223] [Modified: 15-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

[CVE-2025-63224] [Modified: 15-01-2026] [Analyzed] [V3.1 S10.0:CRITICAL] The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices.

[CVE-2025-63878] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page.

[CVE-2025-63879] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter.

[CVE-2025-65022] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda request parameter, which is directly concatenated into multiple SQL queries without proper sanitization. This issue has been patched in commit b473f92.

[CVE-2025-65023] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3.

[CVE-2025-65024] [Modified: 20-11-2025] [Analyzed] [V3.1 S7.2:HIGH] i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a.

[CVE-2025-12766] [Modified: 01-12-2025] [Analyzed] [V3.1 S5.0:MEDIUM] An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System (IWS).

[CVE-2025-34328] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product’s web-accessible directory structure and subsequently execute them.

[CVE-2025-34329] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM.

[CVE-2025-34330] [Modified: 12-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold–related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks.

[CVE-2025-34331] [Modified: 12-12-2025] [Analyzed] [V3.1 S7.5:HIGH] AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data.

[CVE-2025-34332] [Modified: 11-12-2025] [Analyzed] [V3.1 S7.8:HIGH] AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services. When certain service actions are requested through ajaxPost.php, these scripts are invoked by PHP using system() under the NT AUTHORITY\\SYSTEM account. The batch files in this directory are writable by any authenticated local user due to overly permissive ACLs, allowing them to replace script contents with arbitrary commands. On the next service start/stop operation, the modified script is executed as SYSTEM, enabling elevation of local privileges.