Security Advisory

CVE-2026-25806

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-09 20:48:58
Last updated 2026-02-10 15:59:04
Assigner GitHub_M
State PUBLISHED

Description

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete the target student.