Plataforma
python
Componente
assessment-placipy
Corregido en
1.0.1
CVE-2026-25812 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PlaciPy, a placement management system for educational institutions. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications within the system. The vulnerability impacts PlaciPy versions 1.0.0 and prior, and a fix is available in version 1.0.1.
A successful CSRF attack against PlaciPy could allow an attacker to manipulate placement data, modify user accounts, or perform other administrative actions as the logged-in user. This could result in unauthorized changes to student placements, incorrect course assignments, or even the compromise of user credentials. The potential impact is significant, especially in environments where PlaciPy manages sensitive student information. While no specific real-world exploits have been publicly reported for PlaciPy, CSRF vulnerabilities are commonly exploited, and the lack of protection in this system presents a clear risk.
CVE-2026-25812 was publicly disclosed on 2026-02-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Educational institutions using PlaciPy version 1.0.0 are at direct risk. Specifically, institutions relying on PlaciPy for managing student placements and course assignments are vulnerable. Shared hosting environments where PlaciPy is deployed could also be impacted if multiple applications share the same domain and are susceptible to CSRF attacks.
• python / server:
# Check for PlaciPy version 1.0.0 or earlier
pip show placipy• generic web:
# Check for vulnerable endpoints (example - adjust to PlaciPy's structure)
curl -I https://example.com/placement/modifydisclosure
Estado del Exploit
EPSS
0.02% (6% percentil)
CISA SSVC
The primary mitigation for CVE-2026-25812 is to upgrade PlaciPy to version 1.0.1 or later, which includes a fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection mechanisms to all sensitive endpoints. This could involve implementing token-based authentication or other CSRF prevention techniques. Additionally, educate users about the risks of clicking on suspicious links or opening untrusted emails to minimize the likelihood of exploitation. After upgrade, confirm by testing key placement modification functions with a separate user account to ensure CSRF protection is active.
Actualice a una versión que implemente protección CSRF. Implemente un token CSRF en todas las solicitudes que modifiquen el estado del servidor. Valide el token CSRF en el servidor antes de procesar la solicitud.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-25812 is a Cross-Site Request Forgery (CSRF) vulnerability in PlaciPy version 1.0.0, allowing attackers to perform unauthorized actions as authenticated users.
If you are using PlaciPy version 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade PlaciPy to version 1.0.1 or later. If upgrading is not possible, implement temporary CSRF protection measures.
As of now, there are no confirmed reports of active exploitation of CVE-2026-25812, but the vulnerability presents a significant risk.
Refer to the PlaciPy project's official website or repository for the latest security advisories and updates related to CVE-2026-25812.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.