Cyber Resilience

CVE-2026-25875

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25875 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-25875 is a critical authorization vulnerability in PlaciPy version 1.0.0, an open-source placement management system designed for educational institutions. The issue resides in the admin authorization middleware, which blindly trusts client-controlled claims in JSON Web Tokens (JWTs), such as role and scope, without performing server-side verification of those roles. This flaw, classified under CWE-863 (Incorrect Authorization), earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to network accessibility, low complexity, and lack of prerequisites.

The vulnerability enables remote exploitation by any unauthenticated attacker with network access. By crafting a JWT token embedding falsified admin-level role and scope claims, an attacker can bypass authorization checks entirely. Successful exploitation grants full administrative privileges, allowing arbitrary actions such as data manipulation, user account control, or system disruption, with high impacts on confidentiality, integrity, and availability.

Mitigation guidance and additional details are available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-mx95-8ppg-v574, published on 2026-02-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims (role and scope) without enforcing server-side role verification.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remotely exploitable authorization bypass in a network-accessible web application (PlaciPy), directly enabling adversaries to gain initial access and full admin privileges by exploiting a public/internet-facing application vulnerability without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the system to enforce approved authorizations for access, directly addressing the middleware's failure to verify JWT role and scope claims server-side.

prevent

Mandates processes for making access control decisions based on validated attributes, mitigating reliance on unverified client-controlled JWT claims.

prevent

Enforces least privilege to limit the scope and impact of unauthorized admin access gained through forged JWT role claims.

References