CVE-2026-25811

Name of the Vulnerable Software and Affected Versions PlaciPy version 1.0.0

Description PlaciPy is a placement management system for educational institutions. Version 1.0.0 improperly derives the tenant identifier from the user-provided email domain without validating ownership or registration. This flaw enables cross-tenant data access. The application uses the email domain to determine the tenant, potentially allowing a user to access data belonging to another tenant by simply using an email address with a different domain.

Recommendations Implement proper domain validation to ensure users only have access to data within their registered tenant.