Cyber Resilience

CVE-2026-25814

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25814 is a critical-severity Injection (CWE-74) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25814 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue stems from user-controlled query parameters being passed directly into DynamoDB query and filter construction without validation or sanitization, enabling injection attacks. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows attackers to manipulate DynamoDB queries and filters, potentially achieving high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion.

The GitHub security advisory (GHSA-gmg6-mv7g-xjfv) at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-gmg6-mv7g-xjfv provides details on mitigation and patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated injection into DynamoDB queries/filters in a public-facing educational web app (PlaciPy) directly enables T1190 exploitation with full C/I/A impact; no other techniques are directly facilitated by the described flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-27727Shared CWE-74
CVE-2026-7770Shared CWE-74

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-controlled query parameters before constructing DynamoDB queries to prevent injection attacks.

prevent

Mandates timely remediation of the specific flaw in PlaciPy that passes unsanitized inputs to DynamoDB, including patching as advised in the GitHub security advisory.

prevent

Enforces restrictions on user-supplied query parameters at application boundaries to block malicious inputs that could exploit DynamoDB query construction.

References