CVE-2026-25812
Published: 09 February 2026
Summary
CVE-2026-25812 is a high-severity CSRF (CWE-352) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 protects the authenticity of communications sessions, directly mitigating CSRF attacks that forge unauthorized requests using valid user credentials.
SI-10 validates information inputs such as CSRF tokens on state-changing requests, preventing exploitation of credentialed CORS without CSRF protection.
SC-7 monitors and controls communications at system boundaries, enabling detection and blocking of unauthorized cross-origin requests exploiting the CSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF requires tricking an authenticated user into visiting a malicious webpage/link (direct match to spearphishing link delivery and subsequent user execution); public web app exposure enables the vector but UI:R requirement rules out pure server-side mappings like T1190.
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
Deeper analysisAI
CVE-2026-25812 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting PlaciPy version 1.0.0. PlaciPy is a placement management system designed for educational institutions. The flaw arises because the application enables credentialed CORS requests without implementing any CSRF protection mechanism. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant potential impacts.
An attacker can exploit this vulnerability remotely with no privileges required, though it necessitates user interaction, such as tricking an authenticated user into visiting a malicious webpage. The attacker's site can then issue unauthorized credentialed requests to the PlaciPy application on the user's behalf, leveraging the enabled CORS configuration. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as unauthorized data access, modification of placement records, or service disruption.
The primary reference is a GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-99xx-fc63-wc39, published on 2026-02-09, which details the issue.
Details
- CWE(s)