CVE-2026-25812: CSRF in PlaciPy Placement Management System
Platform
python
Component
assessment-placipy
Fixed in
1.0.1
CVE-2026-25812 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PlaciPy, a placement management system for educational institutions. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications within the system. The vulnerability impacts PlaciPy versions 1.0.0 and prior, and a fix is available in version 1.0.1.
Detect this CVE in your project
Upload your requirements.txt file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
A successful CSRF attack against PlaciPy could allow an attacker to manipulate placement data, modify user accounts, or perform other administrative actions as the logged-in user. This could result in unauthorized changes to student placements, incorrect course assignments, or even the compromise of user credentials. The potential impact is significant, especially in environments where PlaciPy manages sensitive student information. While no specific real-world exploits have been publicly reported for PlaciPy, CSRF vulnerabilities are commonly exploited, and the lack of protection in this system presents a clear risk.
Exploitation Context
CVE-2026-25812 was publicly disclosed on 2026-02-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-25812 is to upgrade PlaciPy to version 1.0.1 or later, which includes a fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection mechanisms to all sensitive endpoints. This could involve implementing token-based authentication or other CSRF prevention techniques. Additionally, educate users about the risks of clicking on suspicious links or opening untrusted emails to minimize the likelihood of exploitation. After upgrade, confirm by testing key placement modification functions with a separate user account to ensure CSRF protection is active.
How to fix
Update to a version that implements CSRF protection. Implement a CSRF token in all requests that modify the server state. Validate the CSRF token on the server before processing the request.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-25812 — CSRF in PlaciPy?
CVE-2026-25812 is a Cross-Site Request Forgery (CSRF) vulnerability in PlaciPy version 1.0.0, allowing attackers to perform unauthorized actions as authenticated users.
Am I affected by CVE-2026-25812 in PlaciPy?
If you are using PlaciPy version 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
How do I fix CVE-2026-25812 in PlaciPy?
The recommended fix is to upgrade PlaciPy to version 1.0.1 or later. If upgrading is not possible, implement temporary CSRF protection measures.
Is CVE-2026-25812 being actively exploited?
As of now, there are no confirmed reports of active exploitation of CVE-2026-25812, but the vulnerability presents a significant risk.
Where can I find the official PlaciPy advisory for CVE-2026-25812?
Refer to the PlaciPy project's official website or repository for the latest security advisories and updates related to CVE-2026-25812.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.