[20/03/2026 03:30] Governo teme que Vorcaro use delação para envolver Executivo no caso Master - O Globo

[19/03/2026 21:14] Quem é Dario Durigan, novo ministro da Fazenda - Revista Oeste

[20/03/2026 12:27] 'Eu vou tomar banho, irmão': gravações de câmera corporal mostram PMs intimidados com tenente-coronel após crime - G1

[20/03/2026 10:18] Avião com André Mendonça tem decolagem abortada após falha mecânica - Metrópoles

[20/03/2026 07:40] Irã anuncia morte de porta-voz da Guarda Revolucionária - Jovem Pan

[20/03/2026 06:03] Governo Lula avalia novos decretos para regulamentar big techs - Poder360

[20/03/2026 08:18] Lula retorna a Minas Gerais nesta sexta (20/3) - Estado de Minas

[20/03/2026 08:47] Homens ligados ao miliciano 'Juninho Varão' acabam presos na Baixada - O Dia

[20/03/2026 07:16] PM prende homem escondido em bunker subterrâneo no interior de São Paulo; vídeo - Revista Oeste

[20/03/2026 06:28] Estudo desconstrói argumentos contra fim da 6×1 e aponta mais empregos e crescimento do PIB - ICL Notícias

[CVE-2025-13434] [Modified: 11-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-13435] [Modified: 11-12-2025] [Analyzed] [V3.1 S5.6:MEDIUM] A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-13442] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.3:HIGH] A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-13443] [Modified: 25-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used.

[CVE-2025-13446] [Modified: 21-11-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-13449] [Modified: 21-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was found in code-projects Online Shop Project 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.

[CVE-2025-13450] [Modified: 21-11-2025] [Analyzed] [V3.1 S3.5:LOW] A vulnerability was determined in SourceCodester Online Shop Project 1.0. Impacted is an unknown function of the file /shop/register.php. This manipulation of the argument f_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-13451] [Modified: 21-11-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in SourceCodester Online Shop Project 1.0. The affected element is an unknown function of the file /action.php. Such manipulation of the argument Search leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2025-13468] [Modified: 21-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.

[CVE-2025-40601] [Modified: 12-12-2025] [Analyzed] [V3.1 S7.5:HIGH] A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.

[CVE-2025-40604] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution.

[CVE-2025-40605] [Modified: 12-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path.

[CVE-2025-41074] [Modified: 21-11-2025] [Analyzed] [V3.1 S7.5:HIGH] Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.

[CVE-2025-41075] [Modified: 21-11-2025] [Analyzed] [V3.1 S7.5:HIGH] Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.

[CVE-2025-41076] [Modified: 21-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

[CVE-2025-60794] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.

[CVE-2025-60796] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions.

[CVE-2025-60797] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation.

[CVE-2025-60798] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise.

[CVE-2025-60799] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data.