CVE-2026-25811

PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)

CVSS 5.3 MEDIUMEPSS 0.3%CWE-863

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

Praskla-Technology · assessment-placipy

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3gmm-9ww2-87fh