PlaciPy mist CSRF-bescherming op state-veranderende endpoints
Platform
python
Component
assessment-placipy
Opgelost in
1.0.1
CVE-2026-25812 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PlaciPy, a placement management system for educational institutions. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications within the system. The vulnerability impacts PlaciPy versions 1.0.0 and prior, and a fix is available in version 1.0.1.
Detecteer deze CVE in je project
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.
Impact en Aanvalsscenarioswordt vertaald…
A successful CSRF attack against PlaciPy could allow an attacker to manipulate placement data, modify user accounts, or perform other administrative actions as the logged-in user. This could result in unauthorized changes to student placements, incorrect course assignments, or even the compromise of user credentials. The potential impact is significant, especially in environments where PlaciPy manages sensitive student information. While no specific real-world exploits have been publicly reported for PlaciPy, CSRF vulnerabilities are commonly exploited, and the lack of protection in this system presents a clear risk.
Uitbuitingscontextwordt vertaald…
CVE-2026-25812 was publicly disclosed on 2026-02-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Wie Loopt Risicowordt vertaald…
Educational institutions using PlaciPy version 1.0.0 are at direct risk. Specifically, institutions relying on PlaciPy for managing student placements and course assignments are vulnerable. Shared hosting environments where PlaciPy is deployed could also be impacted if multiple applications share the same domain and are susceptible to CSRF attacks.
Detectiestappenwordt vertaald…
• python / server:
# Check for PlaciPy version 1.0.0 or earlier
pip show placipy• generic web:
# Check for vulnerable endpoints (example - adjust to PlaciPy's structure)
curl -I https://example.com/placement/modifyAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-25812 is to upgrade PlaciPy to version 1.0.1 or later, which includes a fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection mechanisms to all sensitive endpoints. This could involve implementing token-based authentication or other CSRF prevention techniques. Additionally, educate users about the risks of clicking on suspicious links or opening untrusted emails to minimize the likelihood of exploitation. After upgrade, confirm by testing key placement modification functions with a separate user account to ensure CSRF protection is active.
Hoe te verhelpen
Werk bij naar een versie die CSRF-bescherming implementeert. Implementeer een CSRF-token in alle verzoeken die de status van de server wijzigen. Valideer het CSRF-token aan de serverzijde voordat het verzoek wordt verwerkt.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-25812 — CSRF in PlaciPy?
CVE-2026-25812 is a Cross-Site Request Forgery (CSRF) vulnerability in PlaciPy version 1.0.0, allowing attackers to perform unauthorized actions as authenticated users.
Am I affected by CVE-2026-25812 in PlaciPy?
If you are using PlaciPy version 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
How do I fix CVE-2026-25812 in PlaciPy?
The recommended fix is to upgrade PlaciPy to version 1.0.1 or later. If upgrading is not possible, implement temporary CSRF protection measures.
Is CVE-2026-25812 being actively exploited?
As of now, there are no confirmed reports of active exploitation of CVE-2026-25812, but the vulnerability presents a significant risk.
Where can I find the official PlaciPy advisory for CVE-2026-25812?
Refer to the PlaciPy project's official website or repository for the latest security advisories and updates related to CVE-2026-25812.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.