CVE-2026-25809— PlaciPy Code Execution Allowed Without Assessment Active State Validation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25809
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PlaciPy Code Execution Allowed Without Assessment Active State Validation
Source: NVD (National Vulnerability Database)
Vulnerability Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission window is currently open.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
PlaciPy 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PlaciPy是PlaciPy开源的一个生成占位符图片的工具。 PlaciPy 1.0.0版本存在授权问题漏洞,该漏洞源于代码评估端点未验证评估生命周期状态,可能导致未授权执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Praskla-Technology | assessment-placipy | = 1.0.0 | - |
II. Public POCs for CVE-2026-25809
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25809
请登录查看更多情报信息。
Same Patch Batch · Praskla-Technology · 2026-02-09 · 9 CVEs total
| CVE-2026-25810 | PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts | |
| CVE-2026-25806 | PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR) | |
| CVE-2026-25876 | PlaciPy is Missing Authorization on Assessment Results Endpoint | |
| CVE-2026-25811 | PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failur | |
| CVE-2026-25812 | PlaciPy is Missing CSRF Protection on State-Changing Endpoints | |
| CVE-2026-25813 | PlaciPy Exposes Sensitive Data via Application Logs | |
| CVE-2026-25875 | PlaciPy Admin Privilege Escalation via Trusted JWT Claims | |
| CVE-2026-25814 | NoSQL Injection Risk via Unsanitized Query Parameters |
IV. Related Vulnerabilities
Same product: assessment-placipy
- CVE-2026-25875
PlaciPy Admin Privilege Escalation via Trusted JWT Claims - CVE-2026-25814
NoSQL Injection Risk via Unsanitized Query Parameters - CVE-2026-25813
PlaciPy Exposes Sensitive Data via Application Logs - CVE-2026-25812
PlaciPy is Missing CSRF Protection on State-Changing Endpoin - CVE-2026-25811
PlaciPy Email Domain Trust Enables Cross-Tenant Data Access
Same vendor: Praskla-Technology
- CVE-2026-25875
PlaciPy Admin Privilege Escalation via Trusted JWT Claims - CVE-2026-25814
NoSQL Injection Risk via Unsanitized Query Parameters - CVE-2026-25813
PlaciPy Exposes Sensitive Data via Application Logs - CVE-2026-25812
PlaciPy is Missing CSRF Protection on State-Changing Endpoin - CVE-2026-25811
PlaciPy Email Domain Trust Enables Cross-Tenant Data Access
Same weakness: CWE-285
- CVE-2026-8241
Industrial Application Software IAS Canias ERP RMI iasGetSer - CVE-2026-42202
nova-toggle-5: Improper authorization on toggle endpoint all - CVE-2026-33823
Microsoft Team Events Portal Information Disclosure Vulnerab - CVE-2026-41572
Note Mark: Unauthenticated read of notes and assets in soft- - CVE-2026-7713
crocodilestick Calibre-Web-Automated Kobo auth-token Route k
V. Comments for CVE-2026-25809
No comments yet