CVE-2026-25814 – PlaciPy version 1.0.0 passes user-controlled qu... (How to Fix)

Q: What is the severity of CVE-2026-25814?

CVE-2026-25814 has a CVSS score of 9.8 (CRITICAL). PlaciPy version 1.0.0 passes user-controlled query parameters directly into DynamoDB query/filter construction without validation or sanitization. This allows attackers to inject malicious queries that could manipulate database operations. Educational institutions using this placement management system are affected.

📋 TL;DR

PlaciPy version 1.0.0 passes user-controlled query parameters directly into DynamoDB query/filter construction without validation or sanitization. This allows attackers to inject malicious queries that could manipulate database operations. Educational institutions using this placement management system are affected.

💻 Affected Systems

Products:

PlaciPy

Versions: 1.0.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using DynamoDB as the database backend

📦 What is this software?

Placipy by Prasklatechnology

View all CVEs affecting Placipy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data exfiltration, modification, or deletion of sensitive student/placement information

🟠

Likely Case

Unauthorized data access and potential data manipulation through query injection

🟢

If Mitigated

Limited impact with proper input validation and query parameter sanitization

🌐 Internet-Facing: HIGH - Web applications accepting user input are directly vulnerable

🏢 Internal Only: MEDIUM - Internal users could exploit if they have access to the application

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Injection attacks against DynamoDB are well-documented and can be exploited with basic web security knowledge

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub advisory for latest patched version

Vendor Advisory: https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-gmg6-mv7g-xjfv

Restart Required: Yes

Instructions:

1. Review GitHub advisory for patched version. 2. Update PlaciPy to latest version. 3. Restart application services. 4. Verify input validation is implemented.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for all query parameters

Implement parameter validation in application code before passing to DynamoDB

WAF Rule

all

Deploy web application firewall rules to detect and block injection attempts

Configure WAF to block suspicious query patterns

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled parameters
Restrict application access to authorized users only and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Test if user input in query parameters can manipulate DynamoDB queries without validation

Check Version:

Check PlaciPy version in application configuration or package manager

Verify Fix Applied:

Verify that all user inputs are validated and sanitized before being used in DynamoDB queries

📡 Detection & Monitoring

Log Indicators:

Unusual query patterns in application logs
Multiple failed query attempts with special characters

Network Indicators:

HTTP requests with suspicious query parameters containing injection payloads

SIEM Query:

source="web_app" AND (query_parameter CONTAINS "OR" OR query_parameter CONTAINS "$" OR query_parameter CONTAINS "{")

📊 Metadata

CVE ID: CVE-2026-25814

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: February 9, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-gmg6-mv7g-xjfv Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25814, you might also want to check these: