Second-Order SQL Injection Vulnerability in Focalboard by Mattermost
CVE-2026-25773

8.1HIGH

Key Information:

Vendor: Mattermost
Status: Focalboard
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-25773?

Focalboard version 8.0 has a critical flaw involving the improper sanitization of category IDs, which leads to vulnerabilities in dynamic SQL statements during category reordering. This allows authenticated attackers to inject malicious SQL payloads into the system. As these payloads are stored in the database and executed unsanitized upon reordering, attackers can utilize this Second-Order SQL Injection method to exfiltrate sensitive information, including the password hashes of users. Notably, Focalboard is no longer actively maintained, and no official remedies will be provided for this vulnerability.

Affected Version(s)

Focalboard 0 <= 8.0

References

https://github.com/mattermost-community/focalboard

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Siam Thanat Hack Company Limited (pentest@sth.sh)

CVE-2026-25773 Data

JSON