Cyber Resilience

CVE-2026-25809

Medium

Published: 09 February 2026

Published
09 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25809 is a medium-severity Improper Authorization (CWE-285) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25809 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue affects the code evaluation endpoint, which does not validate the assessment lifecycle state before permitting code execution. There is no check to confirm that the assessment has started, remains unexpired, or has an open submission window, leading to improper authorization classified as CWE-285. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By accessing the code evaluation endpoint without lifecycle validation, they can execute arbitrary code at any time, achieving high impacts on confidentiality, integrity, and availability of the affected system.

Mitigation guidance is available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-cc32-rp29-w9x7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not…

more

expired, or the submission window is currently open.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution on a public-facing web application endpoint without proper authorization checks, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2025-11521Shared CWE-285
CVE-2025-49701Shared CWE-285

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the code evaluation endpoint by requiring validation of assessment lifecycle state before permitting execution.

prevent

Requires access control decisions for the code evaluation endpoint to incorporate dynamic factors like assessment start, expiration, and submission window status.

prevent

Limits privileges to execute code on the endpoint only to scenarios where the assessment lifecycle state is valid, preventing unauthorized access.

References