Placipy
CVE-2026-25812
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
AnalysisAI
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthenticated attackers to perform unauthorized actions on behalf of logged-in users through malicious websites. An attacker can exploit this vulnerability to modify placement records, access sensitive educational data, or compromise institutional operations without user knowledge. No patch is currently available.
Technical ContextAI
Classified as CWE-352 (Cross-Site Request Forgery (CSRF)). Affects Placipy. PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — secon
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain ful
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today