CVE-2026-25773

HIGH 8.1

Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

CWE	CWE-89
Vendor	mattermost
Product	focalboard
Published	Apr 3, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for mattermost focalboard

Be the first to know when new high vulnerabilities affecting mattermost focalboard are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Mattermost / Focalboard

0 ≤ 8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mattermost-community/focalboard

Credits

Siam Thanat Hack Company Limited ([email protected])