VYPR

Focalboard

by Mattermost

Source repositories

CVEs (3)

  • CVE-2026-25773HigApr 3, 2026
    risk 0.53cvss 8.1epss 0.00

    ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and…

  • CVE-2026-28736MedApr 3, 2026
    risk 0.28cvss 4.3epss 0.00

    ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and…

  • CVE-2023-1562Mar 22, 2023
    risk 0.00cvss epss 0.00

    Mattermost fails to check the "Show Full Name" setting when rendering the result for the /plugins/focalboard/api/v2/users API call, allowing an attacker to learn the full name of a board owner.