CVE-2026-25806

Name of the Vulnerable Software and Affected Versions PlaciPy version 1.0.0

Description PlaciPy is a placement management system for educational institutions. The GET /api/students/:email, PUT /api/students/:email/status, and DELETE /api/students/:email routes do not enforce authorization. The application does not verify if the authenticated user owns the student record, has an administrative role, or is permitted to modify or delete the student data. The vulnerable parameter is email.

Recommendations Implement authorization checks for the GET /api/students/:email, PUT /api/students/:email/status, and DELETE /api/students/:email routes to ensure that only authorized users can access and modify student records.