8.7
CVE-2026-25813 - PlaciPy Exposes Sensitive Data via Application Logs
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
9.3
CVE-2026-25812 - PlaciPy is Missing CSRF Protection on State-Changing Endpoints
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
5.3
CVE-2026-25811 - PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
5.3
CVE-2026-25809 - PlaciPy Code Execution Allowed Without Assessment Active State Validation
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not expired, or the submission wβ¦
6.9
CVE-2026-25878 - FroshAdminer Adminer UI is accessible without admin session
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users.β¦
5.3
CVE-2026-25806 - PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do nβ¦
5.3
CVE-2026-25810 - PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
5.3
CVE-2026-25876 - PlaciPy is Missing Authorization on Assessment Results Endpoint
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.
7.5
CVE-2026-25791 - Sliver has a DNS C2 OTP Bypass Allows Unauthenticated Session Flooding and Denial of Service
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored witβ¦
5.8
CVE-2026-25765 - Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-β¦