CVE-2026-25814
Published: 09 February 2026
Summary
CVE-2026-25814 is a critical-severity Injection (CWE-74) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-controlled query parameters before constructing DynamoDB queries to prevent injection attacks.
Mandates timely remediation of the specific flaw in PlaciPy that passes unsanitized inputs to DynamoDB, including patching as advised in the GitHub security advisory.
Enforces restrictions on user-supplied query parameters at application boundaries to block malicious inputs that could exploit DynamoDB query construction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated injection into DynamoDB queries/filters in a public-facing educational web app (PlaciPy) directly enables T1190 exploitation with full C/I/A impact; no other techniques are directly facilitated by the described flaw.
NVD Description
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization.
Deeper analysisAI
CVE-2026-25814 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue stems from user-controlled query parameters being passed directly into DynamoDB query and filter construction without validation or sanitization, enabling injection attacks. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows attackers to manipulate DynamoDB queries and filters, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion.
The GitHub security advisory (GHSA-gmg6-mv7g-xjfv) at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-gmg6-mv7g-xjfv provides details on mitigation and patches.
Details
- CWE(s)