[07/03/2026 09:53] Show do Coldplay, hotel de 'White Lotus' e mais: Vorcaro organizou festa de R$ 220 milhões na Itália em 2023; veja detalhes - G1

[07/03/2026 17:44] Mensagem de Vorcaro está em pasta com senador Irajá e Viviane Barci - Poder360

[06/03/2026 08:42] Guerra no Irã completa uma semana: o que aconteceu até agora - BBC

[07/03/2026 07:10] Países do Golfo voltam a sofrer ataques neste sábado - CNN Brasil

[07/03/2026 13:31] Juristas criticam vazamento de conversas íntimas de Vorcaro e exposição de mulheres: 'É o Big Brother da investigação do Master' - BBC

[06/03/2026 15:32] Adolescente envolvido em caso de estupro coletivo em Copacabana é apreendido - O Dia

[07/03/2026 10:33] Demolição de prédio histórico em zona de patrimônio da Parangaba é interrompida - Diário do Nordeste

[07/03/2026 15:59] Verificamos: é falso que frrente fria fora do normal atingirá o Brasil - MetSul Meteorologia

[07/03/2026 03:30] Eduardo Werneck: saiba quem é o personal trainer que morreu após explosão em apartamento no Paraná - O Globo

[06/03/2026 11:20] Réu por morte do advogado Rodrigo Crespo diz que foi contratado por marido traído - G1

[CVE-2025-12873] [Modified: 18-11-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A security flaw has been discovered in Campcodes School File Management 1.0. This affects an unknown part of the file /admin/update_user.php. Performing manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.

[CVE-2025-57697] [Modified: 05-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

[CVE-2025-63713] [Modified: 18-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross-Site Scripting (XSS) vulnerability in SourceCodester "MatchMaster" 1.0 allows remote attackers to inject arbitrary web script or HTML via crafted input in the custom test creation feature. The vulnerability exists because the application fails to properly sanitize user-supplied input in test titles and matching pair items before rendering them in the DOM during test execution.

[CVE-2025-63714] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross-Site Scripting (XSS) vulnerability in SourceCodester User Account Generator 1.0 allows remote attackers to execute arbitrary JavaScript code in the context of the user's browser session via crafted input in the Username Prefix field. The vulnerability exists due to improper sanitization of user-supplied input when rendering generated account data to the DOM, allowing persistent injection of malicious HTML elements that execute when clicked by users.

[CVE-2025-63716] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints.

[CVE-2025-63718] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A SQL injection vulnerability exists in the SourceCodester PQMS (Patient Queue Management System) 1.0 in the api_patient_schedule.php endpoint. The appointmentID parameter is not properly sanitized, allowing attackers to execute arbitrary SQL commands.

[CVE-2024-47118] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.

[CVE-2025-2534] [Modified: 19-11-2025] [Analyzed] [V3.1 S5.3:MEDIUM] IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.

[CVE-2025-33012] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an authenticated user to regain access after account lockout due to password use after expiration date.

[CVE-2025-36006] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial due to the improper release of resources after use.

[CVE-2025-36008] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper allocation of resources.

[CVE-2025-36131] [Modified: 19-11-2025] [Analyzed] [V3.1 S4.6:MEDIUM] IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.

[CVE-2025-36135] [Modified: 11-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7_1, 6.2.0.0 through 6.2.0.5, and 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

[CVE-2025-36136] [Modified: 19-11-2025] [Analyzed] [V3.1 S5.1:MEDIUM] IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow a local user to cause a denial of service due to the database monitor script incorrectly detecting that the instance is still starting under specific conditions.

[CVE-2025-36185] [Modified: 18-11-2025] [Analyzed] [V3.1 S6.2:MEDIUM] IBM Db2 12.1.0 through 12.1.2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.

[CVE-2025-36186] [Modified: 18-11-2025] [Analyzed] [V3.1 S7.4:HIGH] IBM Db2 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) under specific configurations could allow a local user to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level.

[CVE-2025-61261] [Modified: 11-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

[CVE-2025-63717] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] The change password functionality at /pet_grooming/admin/change_pass.php in SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. The application does not implement adequate anti-CSRF tokens or same-site cookie restrictions, allowing attackers to trick authenticated users into unknowingly changing their passwords.

[CVE-2025-64432] [Modified: 25-11-2025] [Analyzed] [V3.1 S4.7:MEDIUM] KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.

[CVE-2025-63638] [Modified: 17-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Sourcecodester AI-Powered To-Do List App v1.0 is vulnerable to Cross-Site Scripting (XSS) in the "Task Title" and "Description (Optional)" fields when creating a Task, allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser upon clicking the "Add Task" button.