[24/03/2026 08:31] Irã lança mísseis contra Israel após declarações de Trump sobre negociações - CNN Brasil

[23/03/2026 12:20] Moraes recebe Michelle após PGR recomendar prisão domiciliar para Bolsonaro: o que acontece agora? - BBC

[23/03/2026 19:27] Mendonça dá 48 horas para Alcolumbre prorrogar CPI do INSS - Poder360

[24/03/2026 07:30] Os números da disputa pela presidência entre os eleitores do Mato Grosso, segundo nova pesquisa - CartaCapital

[23/03/2026 18:50] Castro renuncia ao governo do Rio na véspera de julgamento no TSE, e presidente do TJ assume o cargo - O Globo

[23/03/2026 20:50] FT: Investidores apostaram US$ 580 milhões 15 minutos antes de recuo de Trump sobre Irã - Valor Econômico

[24/03/2026 13:08] Deltan Dallagnol é anunciado pré-candidato ao Senado pelo Paraná em evento de filiação de Sergio Moro ao PL - G1

[23/03/2026 23:57] Desistência de Ratinho Jr. surpreende amigos e aliados de primeiro escalão - CNN Brasil

[23/03/2026 19:34] Rio de Janeiro, Santa Catarina e Pará: somente seis estados não atingiram meta de alfabetização; saiba quais - O Globo

[24/03/2026 07:13] Cenário de risco segue com perigo de episódios de chuva forte a intensa - MetSul Meteorologia

[CVE-2025-12978] [Modified: 28-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.

[CVE-2025-10554] [Modified: 12-01-2026] [Analyzed] [V3.1 S8.7:HIGH] A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

[CVE-2025-56401] [Modified: 30-12-2025] [Analyzed] [V3.1 S7.6:HIGH] ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName.

[CVE-2025-56423] [Modified: 28-11-2025] [Analyzed] [V3.1 S5.3:MEDIUM] An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages

[CVE-2025-60632] [Modified: 01-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API.

[CVE-2025-60633] [Modified: 01-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

[CVE-2025-60638] [Modified: 01-12-2025] [Analyzed] [V3.1 S7.5:HIGH] An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.

[CVE-2025-60914] [Modified: 28-11-2025] [Analyzed] [V3.1 S4.6:MEDIUM] Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint.

[CVE-2025-60915] [Modified: 28-11-2025] [Analyzed] [V3.1 S8.1:HIGH] An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request.

[CVE-2025-60916] [Modified: 28-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the charge parameter.

[CVE-2025-60917] [Modified: 28-11-2025] [Analyzed] [V3.1 S4.6:MEDIUM] A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the color parameter.

[CVE-2025-63432] [Modified: 28-11-2025] [Analyzed] [V3.1 S4.6:MEDIUM] Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution.

[CVE-2025-63433] [Modified: 28-11-2025] [Analyzed] [V3.1 S4.6:MEDIUM] Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.

[CVE-2025-63434] [Modified: 28-11-2025] [Analyzed] [V3.1 S8.8:HIGH] The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution.

[CVE-2025-63435] [Modified: 28-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages..

[CVE-2025-63952] [Modified: 30-12-2025] [Analyzed] [V3.1 S5.7:MEDIUM] A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.

[CVE-2025-63953] [Modified: 30-12-2025] [Analyzed] [V3.1 S6.5:MEDIUM] A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.

[CVE-2025-63958] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function.

[CVE-2025-36112] [Modified: 01-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user.

[CVE-2025-56400] [Modified: 30-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.