cvedb.io
CVE-2026-25773
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2026-04-03T14:16:29.127 · Last modified 2026-06-17T10:25:12.610

Summary

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

Affected products

mattermost — focalboard

Does this affect you?

Add your gear to cvedb and we'll alert you only when mattermost ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.