Cyber Resilience

CVE-2026-25812

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25812 is a critical-severity CSRF (CWE-352) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25812 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting PlaciPy version 1.0.0. PlaciPy is a placement management system designed for educational institutions. The flaw arises because the application enables credentialed CORS requests without implementing any CSRF protection mechanism. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant potential impacts.

An attacker can exploit this vulnerability remotely with no privileges required, though it necessitates user interaction, such as tricking an authenticated user into visiting a malicious webpage. The attacker's site can then issue unauthorized credentialed requests to the PlaciPy application on the user's behalf, leveraging the enabled CORS configuration. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as unauthorized data access, modification of placement records, or service disruption.

The primary reference is a GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-99xx-fc63-wc39, published on 2026-02-09, which details the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF requires tricking an authenticated user into visiting a malicious webpage/link (direct match to spearphishing link delivery and subsequent user execution); public web app exposure enables the vector but UI:R requirement rules out pure server-side mappings like T1190.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2024-51144Shared CWE-352
CVE-2025-59894Shared CWE-352

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 protects the authenticity of communications sessions, directly mitigating CSRF attacks that forge unauthorized requests using valid user credentials.

prevent

SI-10 validates information inputs such as CSRF tokens on state-changing requests, preventing exploitation of credentialed CORS without CSRF protection.

preventdetect

SC-7 monitors and controls communications at system boundaries, enabling detection and blocking of unauthorized cross-origin requests exploiting the CSRF vulnerability.

References