CVE-2026-25809
Published: 09 February 2026
Summary
CVE-2026-25809 is a critical-severity Improper Authorization (CWE-285) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the code evaluation endpoint by requiring validation of assessment lifecycle state before permitting execution.
Requires access control decisions for the code evaluation endpoint to incorporate dynamic factors like assessment start, expiration, and submission window status.
Limits privileges to execute code on the endpoint only to scenarios where the assessment lifecycle state is valid, preventing unauthorized access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution on a public-facing web application endpoint without proper authorization checks, directly enabling exploitation of public-facing applications.
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not…
more
expired, or the submission window is currently open.
Deeper analysisAI
CVE-2026-25809 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue affects the code evaluation endpoint, which does not validate the assessment lifecycle state before permitting code execution. There is no check to confirm that the assessment has started, remains unexpired, or has an open submission window, leading to improper authorization classified as CWE-285. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By accessing the code evaluation endpoint without lifecycle validation, they can execute arbitrary code at any time, achieving high impacts on confidentiality, integrity, and availability of the affected system.
Mitigation guidance is available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-cc32-rp29-w9x7.
Details
- CWE(s)