← Back

Placipy

placipy

Vendor: Prasklatechnology • 10 CVEs

CVEs (10)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-25875
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 9, 2026
9.3 CRITICAL· v4
9.8 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.Show less
CVE-2026-25814
1Prasklatechnology
1Placipy
Feb 18, 2026
Feb 9, 2026
9.3 CRITICAL· v4
9.8 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitiz...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization.Show less
CVE-2026-25813
1Prasklatechnology
1Placipy
Feb 18, 2026
Feb 9, 2026
8.7 HIGH· v4
7.5 HIGH· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
CVE-2026-25812
1Prasklatechnology
1Placipy
Feb 18, 2026
Feb 9, 2026
9.3 CRITICAL· v4
8.8 HIGH· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
CVE-2026-25811
1Prasklatechnology
1Placipy
Feb 18, 2026
Feb 9, 2026
5.3 MEDIUM· v4
9.1 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating doma...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.Show less
CVE-2026-25876
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 9, 2026
5.3 MEDIUM· v4
9.1 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.Show less
CVE-2026-25810
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 9, 2026
5.3 MEDIUM· v4
9.1 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).Show less
CVE-2026-25809
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 9, 2026
5.3 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission window is currently open.Show less
CVE-2026-25806
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 9, 2026
5.3 MEDIUM· v4
6.5 MEDIUM· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete the target student.Show less
CVE-2026-25753
1Prasklatechnology
1Placipy
Feb 11, 2026
Feb 6, 2026
9.3 CRITICAL· v4
9.8 CRITICAL· v3
N/A· v2
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass ac...Show more
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.Show less