Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.
Published: 2026-02-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Hard‑coded Default Password
Action: Immediate Patch
AI Analysis

Impact

PlaciPy, a placement management system, assigns a single static default password to every new student account in version 1.0.0. Because the password is hard‑coded, anyone who discovers it can authenticate as any student. This enables a full account takeover, compromising confidentiality, integrity, and potentially availability for all student records and related operations. The weakness is identified as CWE‑259.

Affected Systems

Version 1.0.0 of Praskla‑Technology’s assessment‑placipy component is affected. The vulnerability is present in all deployments of that release, regardless of configuration or environment. No later versions are listed as affected.

Risk and Exploitability

With a CVSS score of 9.3, the flaw is considered critical. The EPSS score is less than 1%, indicating a low but non‑zero probability of exploitation in the current landscape, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker can authenticate as any student via the student portal using the known default password; this attack route is inferred, not explicitly stated. No privileged system access is required, inferred from the nature of the flaw. Because the flaw resides in application logic rather than a misconfiguration, it is trivial to exploit once the target system is reachable.

Generated by OpenCVE AI on April 18, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version where the default password logic is removed or replaced with unique per‑account passwords.
  • Require an immediate password change for all existing student accounts, preferably enforced at first login or via bulk reset script.
  • Enforce an account creation policy that generates a unique password per student or mandates that the user chooses a password before the account becomes active, and enable auditing of account creation.

Generated by OpenCVE AI on April 18, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Prasklatechnology
Prasklatechnology placipy
CPEs cpe:2.3:a:prasklatechnology:placipy:1.0.0:*:*:*:*:*:*:*
Vendors & Products Prasklatechnology
Prasklatechnology placipy
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Praskla-technology
Praskla-technology assessment-placipy
Vendors & Products Praskla-technology
Praskla-technology assessment-placipy

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known.
Title PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)
Weaknesses CWE-259
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Praskla-technology Assessment-placipy
Prasklatechnology Placipy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:28:38.433Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25753

cve-icon Vulnrichment

Updated: 2026-02-09T15:22:54.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:10.473

Modified: 2026-02-11T19:03:15.400

Link: CVE-2026-25753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses