Placipy
CVE-2026-25810
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
AnalysisAI
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
Technical ContextAI
CWE-862 missing authorization in PlaciPy 1.0.0.
RemediationAI
Do not deploy.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — secon
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain ful
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthen
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today