Cyber Resilience

CVE-2026-25810

Medium

Published: 09 February 2026

Published
09 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 15.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25810 is a medium-severity Missing Authorization (CWE-862) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-25810 is a missing authorization vulnerability (CWE-862) in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue resides in the backend/src/routes/student.submission.routes.ts component, which verifies authentication but fails to enforce object-level authorization, specifically ownership checks. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remote attackers require no privileges (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact unauthorized access to confidential data (C:H) and modification of objects (I:H), such as student submissions, without affecting availability (A:N).

Mitigation details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-2gqv-gxrj-p8x3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization (IDOR-style) in public-facing PlaciPy backend routes enables remote unauthenticated exploitation of the web app (T1190) to read/modify application data stored locally (T1005) or at rest (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-27638Shared CWE-862
CVE-2025-0952Shared CWE-862

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for logical access to system resources, directly addressing the failure to enforce object-level ownership checks in the student submission routes.

prevent

AC-24 mandates that access control decisions explicitly verify security attributes such as ownership prior to granting access, mitigating the missing authorization vulnerability.

prevent

AC-16 ensures security attributes like student ownership are properly assigned, associated, and enforced on resources, enabling object-level authorization checks.

References