Placipy
CVE-2026-25753
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.
AnalysisAI
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain full system access.
Technical ContextAI
PlaciPy 1.0.0 has a CWE-259 use of hard-coded password vulnerability. First of seven critical PlaciPy vulnerabilities (CVE-2026-25753 through 25876).
RemediationAI
Do not deploy PlaciPy 1.0.0 in production. Seven critical vulnerabilities make it fundamentally insecure.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — secon
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthen
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]
Same weakness CWE-259 – Use of Hard-coded Password
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today