PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.

Basic Information

ID CVE-2026-25811

Source GitHub_M

Published Feb 9, 2026 at 21:00

Affected Product

Vendor Praskla-Technology

Product assessment-placipy

Version = 1.0.0

Affected Versions Praskla-Technology assessment-placipy = 1.0.0

CWE Classification

CWE-863

References

github.com /Praskla-Technology/assessment-placipy/security/advisories/GHSA-3gmm-9ww2-87fh

{
    "lastseen": "",
    "description": "PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.",
    "published": "2026-02-09T21:00:38.744Z",
    "modified": "2026-02-09T21:00:38.744Z",
    "type": "cve",
    "title": "PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)",
    "source": "GitHub_M",
    "references": "https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3gmm-9ww2-87fh",
    "id": "CVE-2026-25811",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Praskla-Technology assessment-placipy = 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "assessment-placipy",
    "version": "= 1.0.0",
    "vendor": "Praskla-Technology",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)_CVE-2026-25811