CVE-2026-25810
Published: 09 February 2026
Summary
CVE-2026-25810 is a critical-severity Missing Authorization (CWE-862) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for logical access to system resources, directly addressing the failure to enforce object-level ownership checks in the student submission routes.
AC-24 mandates that access control decisions explicitly verify security attributes such as ownership prior to granting access, mitigating the missing authorization vulnerability.
AC-16 ensures security attributes like student ownership are properly assigned, associated, and enforced on resources, enabling object-level authorization checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (IDOR-style) in public-facing PlaciPy backend routes enables remote unauthenticated exploitation of the web app (T1190) to read/modify application data stored locally (T1005) or at rest (T1565.001).
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
Deeper analysisAI
CVE-2026-25810 is a missing authorization vulnerability (CWE-862) in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue resides in the backend/src/routes/student.submission.routes.ts component, which verifies authentication but fails to enforce object-level authorization, specifically ownership checks. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers require no privileges (PR:N) and can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact unauthorized access to confidential data (C:H) and modification of objects (I:H), such as student submissions, without affecting availability (A:N).
Mitigation details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-2gqv-gxrj-p8x3.
Details
- CWE(s)