CVE-2026-25773
Description
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/focalboardGo | <= 7.10.6 | — |
Affected products
1- cpe:2.3:a:mattermost:focalboard:8.0.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-p32q-v29x-wq9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25773ghsaADVISORY
News mentions
0No linked articles in our index yet.