CVE-2026-25806

🗓️ 09 Feb 2026 20:48:58Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

PlaciPy 1.0.0 exposes IDOR via missing authorization on GET/PUT/DELETE /api/students/:email.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-25806	9 Feb 202620:48	–	attackerkb
CNNVD	PlaciPy 安全漏洞	9 Feb 202600:00	–	cnnvd
Cvelist	CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)	9 Feb 202620:48	–	cvelist
NVD	CVE-2026-25806	9 Feb 202621:15	–	nvd
OSV	CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)	9 Feb 202620:48	–	osv
Positive Technologies	PT-2026-7154	9 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-25806	11 Feb 202601:33	–	redhatcve
Vulnrichment	CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)	9 Feb 202620:48	–	vulnrichment

NVD

Vulners

Node

prasklatechnology placipyMatch1.0.0

[
  {
    "vendor": "Praskla-Technology",
    "product": "assessment-placipy",
    "versions": [
      {
        "version": "= 1.0.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-99gr-8933-3vwj

Parameter	Position	Path	Description	CWE
email	path	api/students/:email	Missing authorization check allows access to any student by providing an arbitrary email.	CWE-862
email	path	api/students/:email/status	Missing authorization check on status update allows modifying status for any student.	CWE-862
status	path	api/students/:email/status	Missing authorization check on status update allows modifying status for any student.	CWE-862
email	path	api/students/:email	Missing authorization check on deletion allows deleting any student record.	CWE-862

11 Feb 2026 19:41Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.16.5

CVSS 45.3

EPSS0.0007

SSVC

CWE-862