CVE-2026-25809

Critical

Published: 09 February 2026

Published

09 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the assessment has started, is not…

expired, or the submission window is currently open.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on the code evaluation endpoint by requiring validation of assessment lifecycle state before permitting execution.

AC-24 Access Control Decisions good match

prevent

Requires access control decisions for the code evaluation endpoint to incorporate dynamic factors like assessment start, expiration, and submission window status.

AC-6 Least Privilege partial match

prevent

Limits privileges to execute code on the endpoint only to scenarios where the assessment lifecycle state is valid, preventing unauthorized access.

Security SummaryAI

CVE-2026-25809 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The issue affects the code evaluation endpoint, which does not validate the assessment lifecycle state before permitting code execution. There is no check to confirm that the assessment has started, remains unexpired, or has an open submission window, leading to improper authorization classified as CWE-285. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By accessing the code evaluation endpoint without lifecycle validation, they can execute arbitrary code at any time, achieving high impacts on confidentiality, integrity, and availability of the affected system.

Mitigation guidance is available in the GitHub security advisory at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-cc32-rp29-w9x7.

Details

CWE(s): CWE-285

Affected Products

prasklatechnology

placipy

1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution on a public-facing web application endpoint without proper authorization checks, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-cc32-rp29-w9x7
Mitigation, Vendor Advisory · security-advisories@github.com