Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
Published: 2026-02-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized state changes
Action: Patch
AI Analysis

Impact

PlaciPy version 1.0.0 lacks CSRF protection on endpoints that alter state. Because the application accepts credentialed CORS requests without a CSRF token, an attacker can forge requests from a malicious site that a legitimate user is logged into, causing unauthorized changes to placement data or system settings.

Affected Systems

The affected product is Praskla-Technology’s PlaciPy 1.0.0, a placement management system for educational institutions. No other versions are listed as affected.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is critical, but the EPSS score indicates exploitation likelihood remains below 1%. The app trusts cross‑origin requests if credentials are present, so an attacker could exploit the flaw through a phishing page or malicious script. The vulnerability is not included in CISA’s KEV catalog, but it remains a high‑risk issue.

Generated by OpenCVE AI on April 17, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement full CSRF protection on all state‑changing endpoints, for example by issuing and validating anti‑CSRF tokens.
  • Restrict CORS to trusted domains and remove credentialed cross‑origin requests until CSRF protection is in place.
  • Upgrade to the patched version as soon as a vendor release becomes available.

Generated by OpenCVE AI on April 17, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Prasklatechnology
Prasklatechnology placipy
CPEs cpe:2.3:a:prasklatechnology:placipy:1.0.0:*:*:*:*:*:*:*
Vendors & Products Prasklatechnology
Prasklatechnology placipy
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Praskla-technology
Praskla-technology assessment-placipy
Vendors & Products Praskla-technology
Praskla-technology assessment-placipy

Mon, 09 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
Title PlaciPy is Missing CSRF Protection on State-Changing Endpoints
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Praskla-technology Assessment-placipy
Prasklatechnology Placipy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:58:36.209Z

Reserved: 2026-02-05T19:58:01.643Z

Link: CVE-2026-25812

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:39.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T22:16:02.720

Modified: 2026-02-18T20:10:05.293

Link: CVE-2026-25812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses