彙總 prasklatechnology 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 CSRF與路徑處理缺陷 相關,可能在 生產負載與軟體部署 場景中帶來 檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-25875 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification. | [email protected] | 9.3 | 0.29% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25814 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization. | [email protected] | 9.3 | 0.34% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25813 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction. | [email protected] | 8.7 | 0.26% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25812 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism. | [email protected] | 9.3 | 0.14% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25811 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access. | [email protected] | 5.3 | 0.27% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25876 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment. | [email protected] | 5.3 | 0.25% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25810 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). | [email protected] | 5.3 | 0.25% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25809 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission window is currently open. | [email protected] | 5.3 | 0.31% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25806 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete | [email protected] | 5.3 | 0.21% | 2026-02-09 | 2026-06-17 |
| CVE-2026-25753 | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known. | [email protected] | 9.3 | 0.36% | 2026-02-06 | 2026-06-17 |