Placipy
CVE-2026-25806
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete the target student.
AnalysisAI
PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]
Technical ContextAI
Classified as CWE-862 (Missing Authorization). Affects Placipy. PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — secon
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain ful
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthen
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today