Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized cross‑tenant data access
Action: Patch
AI Analysis

Impact

This vulnerability arises because the application extracts the tenant identifier directly from the email domain entered by the user in its placement management system. The missing validation of domain ownership or registration enables an attacker to impersonate any tenant by using a forged email domain, resulting in unauthorized access to another tenant’s data. The flaw is a classic missing authorization check, mapped to Access Control: Missing Check for Authorization.

Affected Systems

Praskla Technology’s assessment‑placipy, version 1.0.0, deployed by educational institutions for student placement management.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests that exploitation is unlikely to occur in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker can manipulate the email domain field, which is likely an input path exposed to users, to elevate privileges within the system. Successful exploitation would allow the attacker to retrieve sensitive information belonging to other tenants, compromising confidentiality and potentially affecting integrity if the data is tampered with.

Generated by OpenCVE AI on April 17, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PlaciPy application to a version that validates email domain ownership before assigning tenant identifiers.
  • If an immediate patch is unavailable, implement a domain whitelisting mechanism so only registered domains can be used to determine tenant context.
  • Enforce strict input validation and an explicit authorization check that verifies the requester’s tenant against the requested data before any access is granted.

Generated by OpenCVE AI on April 17, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Prasklatechnology
Prasklatechnology placipy
CPEs cpe:2.3:a:prasklatechnology:placipy:1.0.0:*:*:*:*:*:*:*
Vendors & Products Prasklatechnology
Prasklatechnology placipy
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Praskla-technology
Praskla-technology assessment-placipy
Vendors & Products Praskla-technology
Praskla-technology assessment-placipy

Mon, 09 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
Title PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Praskla-technology Assessment-placipy
Prasklatechnology Placipy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:58:42.295Z

Reserved: 2026-02-05T19:58:01.642Z

Link: CVE-2026-25811

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:10.649Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:02.583

Modified: 2026-02-18T20:30:48.723

Link: CVE-2026-25811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses