CVE-2026-25876 MEDIUM

CVE-2026-25876: PlaciPy is Missing Authorization on Assessment Results Endpoint

Vendor Praskla-Technology
Product assessment-placipy
Weakness CWE-862 · Missing authorization
Published February 9, 2026
Last update February 10, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-37989 WordPress Easyship WooCommerce Shipping Rates plugin <= 0.9.0 - Broken Access Control vulnerability CVE-2026-27398 WordPress RSVP and Event Management plugin <= 2.7.16 - Broken Access Control vulnerability CVE-2024-11816 The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution CVE-2024-4958 User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation CVE-2025-9218 rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function