Placipy
CVE-2026-25814
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization.
AnalysisAI
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
Technical ContextAI
CWE-74 injection in PlaciPy 1.0.0's user input processing.
RemediationAI
Do not deploy.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — secon
PlaciPy placement management system 1.0.0 uses a hard-coded password, allowing any attacker who discovers it to gain ful
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthen
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today