Praskla-Technology Assessment-Placipy vulnerabilities
10 known vulnerabilities affecting praskla-technology/assessment-placipy.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-25753P2CRITICALCVSS 9.8≤ 1.0.02026-02-06
CVE-2026-25753 [CRITICAL] CWE-259 CVE-2026-25753: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.
nvd
CVE-2026-25809P3CRITICALCVSS 9.8v= 1.0.02026-02-09
CVE-2026-25809 [CRITICAL] CWE-285 CVE-2026-25809: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission window is currently open.
nvd
CVE-2026-25875P3CRITICALCVSS 9.8v= 1.0.02026-02-09
CVE-2026-25875 [CRITICAL] CWE-863 CVE-2026-25875: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, Th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.
nvd
CVE-2026-25811P3CRITICALCVSS 9.1v= 1.0.02026-02-09
CVE-2026-25811 [CRITICAL] CWE-863 CVE-2026-25811: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
nvd
CVE-2026-25810P3CRITICALCVSS 9.1v= 1.0.02026-02-09
CVE-2026-25810 [CRITICAL] CWE-862 CVE-2026-25810: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
nvd
CVE-2026-25876P3CRITICALCVSS 9.1v= 1.0.02026-02-09
CVE-2026-25876 [CRITICAL] CWE-862 CVE-2026-25876: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.
nvd
CVE-2026-25814P3CRITICALCVSS 9.8v= 1.0.02026-02-09
CVE-2026-25814 [CRITICAL] CWE-74 CVE-2026-25814: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, Us
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization.
nvd
CVE-2026-25812P3HIGHCVSS 8.8v= 1.0.02026-02-09
CVE-2026-25812 [HIGH] CWE-352 CVE-2026-25812: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
nvd
CVE-2026-25813P3HIGHCVSS 7.5v= 1.0.02026-02-09
CVE-2026-25813 [HIGH] CWE-532 CVE-2026-25813: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, Th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
nvd
CVE-2026-25806P3MEDIUMCVSS 6.5v= 1.0.02026-02-09
CVE-2026-25806 [MEDIUM] CWE-862 CVE-2026-25806: PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, th
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email
PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not v
nvd