79 matches found
CVE-2026-25811
CVE-2026-25811 affects PlaciPy 1.0.0. Root cause: tenant identifiers are derived from user email domains without validating domain ownership/registration, enabling cross-tenant data access. Impact is cross-tenant data exposure; CVSS notes indicate high confidentiality/integrity impact in some vec...
CVE-2026-25811 PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access...
CVE-2026-25809 PlaciPy Code Execution Allowed Without Assessment Active State Validation
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission...
CVE-2026-25809 PlaciPy Code Execution Allowed Without Assessment Active State Validation
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission...
CVE-2026-25809
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission...
CVE-2026-25809
CVE-2026-25809 affects PlaciPy 1.0.0. The code evaluation endpoint does not validate the assessment lifecycle state (whether started, expired, or submission window open), potentially allowing execution without proper sequencing. This is documented across multiple feeds (NVD, Red Hat, CVE records,...
CVE-2026-25809 PlaciPy Code Execution Allowed Without Assessment Active State Validation
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission...
CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...
CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...
CVE-2026-25806
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...
CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...
CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25810
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
CVE-2026-25876
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
CVE-2026-25876
Technical details are not publicly available in the provided documents. Monitor for updates from vendors and security advisories.
CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
PlaciPy 安全漏洞
PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and administrators in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability arises from t...