CVE-2026-25809
📋 TL;DR
This vulnerability in PlaciPy version 1.0.0 allows attackers to execute code evaluation outside of intended assessment windows due to missing lifecycle state validation. Educational institutions using this placement management system are affected, potentially enabling unauthorized access to assessment functionality.
💻 Affected Systems
- PlaciPy
📦 What is this software?
Placipy by Prasklatechnology
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate assessment results, access sensitive student data, or execute arbitrary code by bypassing assessment timing controls.
Likely Case
Unauthorized users could submit or modify assessment evaluations outside permitted timeframes, compromising academic integrity.
If Mitigated
With proper validation, only authorized users during open assessment windows could execute evaluations.
🎯 Exploit Status
Exploitation requires access to the code evaluation endpoint but doesn't need authentication bypass. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub advisory for latest patched version
Vendor Advisory: https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-cc32-rp29-w9x7
Restart Required: Yes
Instructions:
1. Visit the GitHub advisory URL
2. Check for available patches or updates
3. Update to the latest secure version
4. Restart the PlaciPy application
🔧 Temporary Workarounds
Implement API endpoint validation
allAdd server-side validation to check assessment lifecycle state before allowing code evaluation
# Modify the code evaluation endpoint to include: if not assessment.is_active(): return error
Temporary endpoint disablement
allDisable the code evaluation endpoint until patched
# Comment out or remove the vulnerable endpoint route in your application
🧯 If You Can't Patch
- Implement network-level access controls to restrict who can reach the code evaluation endpoint
- Add additional authentication and authorization checks before processing evaluation requests
🔍 How to Verify
Check if Vulnerable:
Check if running PlaciPy version 1.0.0 and attempt to access code evaluation endpoint outside assessment windowsCheck Version:
Check PlaciPy configuration files or application metadata for version informationVerify Fix Applied:
Test that code evaluation endpoint now validates assessment lifecycle state and rejects requests outside permitted times📡 Detection & Monitoring
Log Indicators:
- Code evaluation requests outside assessment time windows
- Failed assessment state validation attempts
- Unusual timing patterns in evaluation submissions
Network Indicators:
- HTTP requests to code evaluation endpoint with timestamps outside assessment windows
- Unusual request patterns to /api/evaluate or similar endpoints
SIEM Query:
source="placipy" AND (uri_path="/api/evaluate" OR uri_path="/evaluate") AND timestamp NOT BETWEEN assessment_start_time AND assessment_end_time