PT-2026-7162 · Placipy · Placipy
Highth3Gowhampublished
·
Published
2026-02-09
·
Updated
2026-02-09
·
CVE-2026-25876
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PlaciPy version 1.0.0
Description
PlaciPy is a placement management system for educational institutions. Version 1.0.0 does not enforce object-level authorization, specifically ownership checks, despite verifying authentication in the
/backend/src/routes/results.routes.ts route. This allows unauthorized access to data, such as retrieving all results for an assessment. The vulnerable route is /backend/src/routes/results.routes.ts.Recommendations
Implement object-level authorization checks to ensure users can only access data they are authorized to view.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Placipy