[18/03/2026 08:57] "Jiló", chefe do tráfico no Morro dos Prazeres, é morto pela PM no Rio - CNN Brasil

[18/03/2026 11:39] Veja momento em que Tenente-Coronel suspeito de matar esposa PM é preso - CNN Brasil

[18/03/2026 05:31] Vorcaro mantém plano de delação - Revista Oeste

[18/03/2026 03:21] Flávio Bolsonaro visita Moraes para pedir prisão domiciliar a seu pai - Poder360

[18/03/2026 10:57] Uma "Operação Salva Alexandre de Moraes" está em curso em Brasília - Metrópoles

[18/03/2026 01:15] Irã ataca Tel Aviv em retaliação à morte de Ali Larijani - CNN Brasil

[18/03/2026 09:31] Chuvas atingem 122 municípios do Ceará na manhã desta quarta (18) - Diário do Nordeste

[18/03/2026 06:06] CNJ resiste a acabar com aposentadoria remunerada para punir juiz - Poder360

[18/03/2026 05:03] Filho do traficante Abelha tem mural em sua homenagem em ponto turístico na Lapa - Extra online

[18/03/2026 11:00] Vídeo flagra donos de concessionária sendo roubados em Contagem - Estado de Minas

[CVE-2025-13346] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used.

[CVE-2025-13347] [Modified: 19-11-2025] [Analyzed] [V3.1 S6.3:MEDIUM] A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

[CVE-2025-13349] [Modified: 20-11-2025] [Analyzed] [V3.1 S3.5:LOW] A vulnerability has been found in SourceCodester Student Grades Management System 1.0. This issue affects some unknown processing of the file /grades.php of the component Add New Grade Page. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

[CVE-2025-55179] [Modified: 25-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.

[CVE-2025-63883] [Modified: 04-02-2026] [Analyzed] [V3.1 S5.4:MEDIUM] A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it into the DOM via unsafe sinks (innerHTML/insertAdjacentHTML/document.write) without proper sanitization or context-aware encoding. An attacker can craft a malicious URL that, when opened by a victim, causes arbitrary JavaScript to execute in the victim's browser under the electic-shop origin.

[CVE-2025-63892] [Modified: 20-11-2025] [Analyzed] [V3.1 S6.8:MEDIUM] A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting.

[CVE-2025-9312] [Modified: 08-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate–based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected.

[CVE-2025-12383] [Modified: 16-01-2026] [Analyzed] [V3.1 S7.4:HIGH] In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

[CVE-2025-55074] [Modified: 25-11-2025] [Analyzed] [V3.1 S3.0:LOW] Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

[CVE-2025-58121] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information

[CVE-2025-58122] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure.

[CVE-2025-63408] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.8:HIGH] Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands.

[CVE-2025-63602] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. This is due to the implementation of an insecure version of WinRing0 (1.2.0.5, renamed to IntelliBreeze.Maintenance.Service.sys) that lacks a properly secured DACL, allowing unprivileged users to interact with the driver and, as a result, the kernel. This can result in local privilege escalation, information disclosure, denial of service, and other unspecified impacts.

[CVE-2025-63603] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). The function uses Python's exec() to execute user-supplied scripts but fails to restrict the __builtins__ dictionary in the globals parameter. When __builtins__ is not explicitly defined, Python automatically provides access to all built-in functions including __import__, exec, eval, and open. This allows an attacker to execute arbitrary Python code with full system privileges, leading to complete system compromise. The vulnerability can be exploited by submitting a malicious script to the run_script tool, requiring no authentication or special privileges.

[CVE-2025-63604] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. The vulnerability stems from the exposure of dangerous Python built-in functions (__import__, getattr, hasattr) in the execution namespace and the direct use of exec() to execute user-supplied code. An attacker can craft malicious queries to execute arbitrary Python code, leading to AWS credential theft (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), file system access, environment variable disclosure, and potential system compromise. The vulnerability allows attackers to bypass intended security controls and gain unauthorized access to sensitive AWS resources and credentials stored in the server's environment.

[CVE-2025-63800] [Modified: 19-12-2025] [Analyzed] [V3.1 S7.5:HIGH] The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts.

[CVE-2025-64996] [Modified: 24-11-2025] [Analyzed] [V3.1 S4.4:MEDIUM] In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data.

[CVE-2025-12760] [Modified: 08-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.

[CVE-2025-12761] [Modified: 08-12-2025] [Analyzed] [V3.1 S3.5:LOW] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.

[CVE-2025-13080] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.