CVE-2026-25812 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PlaciPy, a placement management system for educational institutions. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications within the system. The vulnerability impacts PlaciPy versions 1.0.0 and prior, and a fix is available in version 1.0.1.
检测此 CVE 是否影响你的项目
上传你的 requirements.txt 文件,立即知道是否受影响。
影响与攻击场景翻译中…
A successful CSRF attack against PlaciPy could allow an attacker to manipulate placement data, modify user accounts, or perform other administrative actions as the logged-in user. This could result in unauthorized changes to student placements, incorrect course assignments, or even the compromise of user credentials. The potential impact is significant, especially in environments where PlaciPy manages sensitive student information. While no specific real-world exploits have been publicly reported for PlaciPy, CSRF vulnerabilities are commonly exploited, and the lack of protection in this system presents a clear risk.
利用背景翻译中…
CVE-2026-25812 was publicly disclosed on 2026-02-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
哪些人处于风险中翻译中…
Educational institutions using PlaciPy version 1.0.0 are at direct risk. Specifically, institutions relying on PlaciPy for managing student placements and course assignments are vulnerable. Shared hosting environments where PlaciPy is deployed could also be impacted if multiple applications share the same domain and are susceptible to CSRF attacks.
检测步骤翻译中…
• python / server:
# Check for PlaciPy version 1.0.0 or earlier
pip show placipy• generic web:
# Check for vulnerable endpoints (example - adjust to PlaciPy's structure)
curl -I https://example.com/placement/modify攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-25812 is to upgrade PlaciPy to version 1.0.1 or later, which includes a fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding CSRF protection mechanisms to all sensitive endpoints. This could involve implementing token-based authentication or other CSRF prevention techniques. Additionally, educate users about the risks of clicking on suspicious links or opening untrusted emails to minimize the likelihood of exploitation. After upgrade, confirm by testing key placement modification functions with a separate user account to ensure CSRF protection is active.
修复方法
升级到实现 CSRF 保护的版本。在所有修改服务器状态的请求中实现 CSRF token。在处理请求之前,在服务器端验证 CSRF token。
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-25812 — CSRF in PlaciPy?
CVE-2026-25812 is a Cross-Site Request Forgery (CSRF) vulnerability in PlaciPy version 1.0.0, allowing attackers to perform unauthorized actions as authenticated users.
Am I affected by CVE-2026-25812 in PlaciPy?
If you are using PlaciPy version 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
How do I fix CVE-2026-25812 in PlaciPy?
The recommended fix is to upgrade PlaciPy to version 1.0.1 or later. If upgrading is not possible, implement temporary CSRF protection measures.
Is CVE-2026-25812 being actively exploited?
As of now, there are no confirmed reports of active exploitation of CVE-2026-25812, but the vulnerability presents a significant risk.
Where can I find the official PlaciPy advisory for CVE-2026-25812?
Refer to the PlaciPy project's official website or repository for the latest security advisories and updates related to CVE-2026-25812.