CVE-2026-25813
Published: 09 February 2026
Summary
CVE-2026-25813 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-3 (Content of Audit Records).
Deeper analysis
CVE-2026-25813 is a vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue stems from the application logging highly sensitive data directly to console output without masking or redaction, corresponding to CWE-532 (Insertion of Sensitive Information into Log File). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.
The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows the attacker to access unredacted sensitive data from console logs, potentially exposing confidential information managed by the system without affecting integrity or availability.
Mitigation details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3647-q595-wfr2, published on 2026-02-09.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6860
Vulnerability details
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in network-accessible placement management application enables remote unauthenticated access to sensitive data via exposed console logs, mapping to exploitation of public-facing apps for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AU-13 directly requires checking and redacting sensitive information from logs or console outputs before writing, comprehensively addressing the unredacted sensitive data logging in PlaciPy.
AU-3 defines the content of audit records to include only necessary information, enabling specification of redaction rules to prevent sensitive data exposure in logs.
AU-9 protects audit information including console logs from unauthorized access, providing secondary mitigation against exploitation of exposed sensitive data.