CVE-2026-25753
Published: 06 February 2026
Summary
CVE-2026-25753 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 explicitly requires changing default authenticators prior to first use and secure management of passwords, directly preventing exploitation of the hard-coded static default password for all student accounts.
AC-2 mandates procedures for account management that prohibit shared or default credentials, ensuring student accounts require unique passwords upon creation to block mass takeovers.
CM-6 requires secure baseline configuration settings, mitigating the insecure hard-coded password by enforcing verified configurations without defaults.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded static default password for all new accounts directly enables use of default/valid accounts for unauthenticated login and account takeover (T1078.001).
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as…
more
any student once the password is known.
Deeper analysisAI
CVE-2026-25753 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The flaw stems from the use of a hard-coded, static default password for all newly created student accounts, enabling mass account takeover once the password is known. It is classified under CWE-259 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and lack of prerequisites.
Any unauthenticated attacker with network access can exploit this vulnerability by obtaining the static default password and using it to log in as any student account. Exploitation requires no privileges or user interaction, resulting in full compromise of affected accounts across the system. This allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially exposing sensitive student data and enabling unauthorized actions within the placement management platform.
The GitHub security advisory (GHSA-6537-cf56-j9w2) at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2 documents the issue and should be consulted for mitigation guidance, including any available patches or workarounds.
Details
- CWE(s)