CVE-2026-25809

Name of the Vulnerable Software and Affected Versions PlaciPy version 1.0.0

Description PlaciPy is a placement management system for educational institutions. The code evaluation endpoint in version 1.0.0 lacks validation of the assessment lifecycle state before allowing execution. Specifically, it does not verify if an assessment has started, is not expired, or if the submission window is open. The vulnerable endpoint is /api/v1/assessments/{assessment id}/evaluate and the vulnerable variable is assessment id. The evaluateAssessment() function is involved in this issue.

Recommendations Apply updates to address the missing validation checks in the code evaluation endpoint. As a temporary workaround, restrict access to the /api/v1/assessments/{assessment id}/evaluate endpoint until a fix is available.