CVE-2026-25806
PlaciPy (version 1.0.0) exposes potential IDOR-like authorization gaps on student records via GET /api/students/:email, PUT /api/students/:email/status, and DELETE /api/students/:email. The backend only enforces authentication (authenticateToken) and does not verify ownership, administrative/staf...