Skip to main content

Placipy CVE-2026-25753

CRITICAL
Use of Hard-coded Password (CWE-259)
2026-02-06 security-advisories@github.com
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 06, 2026 - 19:16 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.

AnalysisAI

PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain full system access.

Technical ContextAI

PlaciPy 1.0.0 has a CWE-259 use of hard-coded password vulnerability. First of seven critical PlaciPy vulnerabilities (CVE-2026-25753 through 25876).

RemediationAI

Do not deploy PlaciPy 1.0.0 in production. Seven critical vulnerabilities make it fundamentally insecure.

Share

CVE-2026-25753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy