[24/04/2026 04:00] Operação Narco Fluxo: como indústria musical era usada no esquema de lavagem de dinheiro envolvendo MC Ryan SP - G1

[24/04/2026 05:31] Ruy Castro implode o mito do "Flávio Bolsonaro moderado" - Brasil 247

[24/04/2026 00:38] Zema diz que Gilmar compara homossexual com ladrão - Poder360

[24/04/2026 00:51] Lula tratará ceratose na cabeça; entenda procedimento - Correio Braziliense

[23/04/2026 07:53] Ex-presidente do BRB vai pedir transferência para fechar delação - Correio Braziliense

[23/04/2026 23:21] TSE publica acórdão sobre Castro; ex-governador não teve mandato cassado - CNN Brasil

[23/04/2026 23:36] Morre Lúcio Brasileiro, jornalista diário mais antigo do mundo - O POVO

[24/04/2026 07:10] Sexta-feira começa com muita chuva e vem mais água - MetSul Meteorologia

[23/04/2026 17:34] UFMG se posiciona após pancadaria entre alunos e candidatos bolsonaristas - Estado de Minas

[23/04/2026 20:55] PF conclui inquérito sobre morte do ‘Sicário’ de Daniel Vorcaro - Jovem Pan

[CVE-2025-15082] [Modified: 20-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15083] [Modified: 20-01-2026] [Analyzed] [V3.1 S2.0:LOW] A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15084] [Modified: 31-12-2025] [Analyzed] [V3.1 S3.1:LOW] A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15085] [Modified: 31-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-68935] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.4:MEDIUM] ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.

[CVE-2025-68936] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.4:MEDIUM] ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.

[CVE-2025-15086] [Modified: 31-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-15089] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

[CVE-2025-15090] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.

[CVE-2025-15091] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-15092] [Modified: 31-12-2025] [Analyzed] [V3.1 S8.8:HIGH] A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2025-68938] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.3:MEDIUM] Gitea before 1.25.2 mishandles authorization for deletion of releases.

[CVE-2025-68939] [Modified: 02-01-2026] [Analyzed] [V3.1 S8.2:HIGH] Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

[CVE-2025-68940] [Modified: 02-01-2026] [Analyzed] [V3.1 S3.1:LOW] In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

[CVE-2025-68941] [Modified: 02-01-2026] [Analyzed] [V3.1 S4.9:MEDIUM] Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

[CVE-2025-68942] [Modified: 02-01-2026] [Analyzed] [V3.1 S5.4:MEDIUM] Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

[CVE-2025-15099] [Modified: 08-01-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue.

[CVE-2025-68943] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

[CVE-2025-68944] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.0:MEDIUM] Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

[CVE-2025-68945] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.8:MEDIUM] In Gitea before 1.21.2, an anonymous user can visit a private user's project.