Cyber Resilience

CVE-2026-25813

High

Published: 09 February 2026

Published
09 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 16.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25813 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-3 (Content of Audit Records).

Deeper analysis

CVE-2026-25813 is a vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue stems from the application logging highly sensitive data directly to console output without masking or redaction, corresponding to CWE-532 (Insertion of Sensitive Information into Log File). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality impact.

The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows the attacker to access unredacted sensitive data from console logs, potentially exposing confidential information managed by the system without affecting integrity or availability.

Mitigation details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-3647-q595-wfr2, published on 2026-02-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in network-accessible placement management application enables remote unauthenticated access to sensitive data via exposed console logs, mapping to exploitation of public-facing apps for data access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2025-66236Shared CWE-532
CVE-2024-48852Shared CWE-532

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AU-13 directly requires checking and redacting sensitive information from logs or console outputs before writing, comprehensively addressing the unredacted sensitive data logging in PlaciPy.

prevent

AU-3 defines the content of audit records to include only necessary information, enabling specification of redaction rules to prevent sensitive data exposure in logs.

prevent

AU-9 protects audit information including console logs from unauthorized access, providing secondary mitigation against exploitation of exposed sensitive data.

References