Cyber Resilience

CVE-2026-25876

Medium

Published: 09 February 2026

Published
09 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 15.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25876 is a medium-severity Missing Authorization (CWE-862) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes).

Deeper analysis

CVE-2026-25876 is a missing authorization vulnerability (CWE-862) in PlaciPy version 1.0.0, an open-source placement management system designed for educational institutions. The issue affects the backend/src/routes/results.routes.ts component, which properly verifies authentication but fails to enforce object-level authorization, such as ownership checks on resources. As a result, authenticated users can access data beyond their authorized scope, for example, retrieving all results for an assessment.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), making it exploitable over the network by unauthenticated attackers (PR:N) with low attack complexity and no user interaction required. Successful exploitation enables high-impact violations of confidentiality and integrity, allowing attackers to read or potentially modify unauthorized assessment results and other objects without ownership validation.

Mitigation details are available in the GitHub security advisory published by the PlaciPy maintainers at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-w238-w4mg-j357.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Missing object-level authorization in public-facing web app routes directly enables T1190 exploitation for initial access and facilitates T1213 collection of data from the system's information repositories (assessment results).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25753Same product: Prasklatechnology Placipy
CVE-2026-30911Shared CWE-862
CVE-2025-69311Shared CWE-862

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to information and resources, directly addressing the failure to implement object-level ownership checks in PlaciPy's results routes.

prevent

AC-6 implements least privilege to restrict access to only authorized objects, mitigating authenticated users' ability to retrieve unauthorized assessment results.

prevent

AC-16 manages security attributes like ownership to support fine-grained authorization rules absent in the vulnerable backend routes.

References