Skip to main content

Placipy CVE-2026-25809

CRITICAL
Improper Authorization (CWE-285)
2026-02-09 security-advisories@github.com
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 09, 2026 - 21:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission window is currently open.

AnalysisAI

PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — second of seven critical PlaciPy vulnerabilities.

Technical ContextAI

CWE-285 improper authorization in PlaciPy 1.0.0, the second of seven critical vulnerabilities making the system fundamentally insecure.

RemediationAI

Do not use PlaciPy 1.0.0 in production.

Share

CVE-2026-25809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy