{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25753", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.357Z", "datePublished": "2026-02-06T18:57:31.419Z", "dateUpdated": "2026-02-09T15:28:38.433Z"}, "containers": {"cna": {"title": "PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)", "problemTypes": [{"descriptions": [{"cweId": "CWE-259", "lang": "en", "description": "CWE-259: Use of Hard-coded Password", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2"}], "affected": [{"vendor": "Praskla-Technology", "product": "assessment-placipy", "versions": [{"version": "<= 1.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:57:31.419Z"}, "descriptions": [{"lang": "en", "value": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known."}], "source": {"advisory": "GHSA-6537-cf56-j9w2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:22:53.453481Z", "id": "CVE-2026-25753", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:28:38.433Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25753", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:22:53.453481Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:22:54.331Z"}}], "cna": {"title": "PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)", "source": {"advisory": "GHSA-6537-cf56-j9w2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Praskla-Technology", "product": "assessment-placipy", "versions": [{"status": "affected", "version": "<= 1.0.0"}]}], "references": [{"url": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2", "name": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-259", "description": "CWE-259: Use of Hard-coded Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:57:31.419Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25753", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:28:38.433Z", "dateReserved": "2026-02-05T18:35:52.357Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T18:57:31.419Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prasklatechnology:placipy:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6D45A3FA-CF6C-4A70-AF7F-696137CA9133", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known."}], "id": "CVE-2026-25753", "lastModified": "2026-02-11T19:03:15.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T19:16:10.473", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-259"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:31:36.973740+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch or upgrade to a version where the default password logic is removed or replaced with unique per\u2011account passwords.", "Require an immediate password change for all existing student accounts, preferably enforced at first login or via bulk reset script.", "Enforce an account creation policy that generates a unique password per student or mandates that the user chooses a password before the account becomes active, and enable auditing of account creation."], "summary": {"action": "Immediate Patch", "impact": "Account Takeover via Hard\u2011coded Default Password"}, "threat_synthesis": {"affected_systems": "Version\u202f1.0.0 of Praskla\u2011Technology\u2019s assessment\u2011placipy component is affected. The vulnerability is present in all deployments of that release, regardless of configuration or environment. No later versions are listed as affected.", "description_and_impact": "PlaciPy, a placement management system, assigns a single static default password to every new student account in version\u202f1.0.0. Because the password is hard\u2011coded, anyone who discovers it can authenticate as any student. This enables a full account takeover, compromising confidentiality, integrity, and potentially availability for all student records and related operations. The weakness is identified as CWE\u2011259.", "risk_and_exploitability": "With a CVSS score of\u202f9.3, the flaw is considered critical. The EPSS score is less than 1%, indicating a low but non\u2011zero probability of exploitation in the current landscape, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the attacker can authenticate as any student via the student portal using the known default password; this attack route is inferred, not explicitly stated. No privileged system access is required, inferred from the nature of the flaw. Because the flaw resides in application logic rather than a misconfiguration, it is trivial to exploit once the target system is reachable."}}}}, "created": "2026-02-09T10:49:36.986863+00:00", "updated": "2026-04-18T13:45:45.665683+00:00", "vendors": ["praskla-technology", "praskla-technology$PRODUCT$assessment-placipy"]}