Platform
python
Component
assessment-placipy
Fixed in
1.0.1
CVE-2026-25812 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PlaciPy, a placement management system for educational institutions. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications within the system. The vulnerability impacts PlaciPy versions 1.0.0 and prior, and a fix is available in version 1.0.1.
A successful CSRF attack against PlaciPy could allow an attacker to manipulate placement data, modify user accounts, or perform other administrative actions as the logged-in user. This could result in unauthorized changes to student placements, incorrect course assignments, or even the compromise of user credentials. The potential impact is significant, especially in environments where PlaciPy manages sensitive student information. While no specific real-world exploits have been publicly reported for PlaciPy, CSRF vulnerabilities are commonly exploited, and the lack of protection in this system presents a clear risk.
CVE-2026-25812 was publicly disclosed on 2026-02-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25812 is to upgrade PlaciPy to version 1.0.1 or later, which includes a fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection mechanisms to all sensitive endpoints. This could involve implementing token-based authentication or other CSRF prevention techniques. Additionally, educate users about the risks of clicking on suspicious links or opening untrusted emails to minimize the likelihood of exploitation. After upgrade, confirm by testing key placement modification functions with a separate user account to ensure CSRF protection is active.
Update to a version that implements CSRF protection. Implement a CSRF token in all requests that modify the server state. Validate the CSRF token on the server before processing the request.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25812 is a Cross-Site Request Forgery (CSRF) vulnerability in PlaciPy version 1.0.0, allowing attackers to perform unauthorized actions as authenticated users.
If you are using PlaciPy version 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade PlaciPy to version 1.0.1 or later. If upgrading is not possible, implement temporary CSRF protection measures.
As of now, there are no confirmed reports of active exploitation of CVE-2026-25812, but the vulnerability presents a significant risk.
Refer to the PlaciPy project's official website or repository for the latest security advisories and updates related to CVE-2026-25812.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.