{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25773", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-04-03T13:10:59.186Z", "datePublished": "2026-04-03T13:24:29.141Z", "dateUpdated": "2026-04-03T14:57:00.729Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Focalboard", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Siam Thanat Hack Company Limited (pentest@sth.sh)"}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "tags": ["unsupported-when-assigned"], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseSeverity": "HIGH", "baseScore": 8.1}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89"}]}], "references": [{"url": "https://github.com/mattermost-community/focalboard", "name": "Focalboard Repository (Unmaintained)"}], "source": {"discovery": "EXTERNAL"}, "title": "Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-03T13:24:29.141Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T14:56:18.578517Z", "id": "CVE-2026-25773", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:57:00.729Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25773", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T14:56:18.578517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:56:50.635Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Siam Thanat Hack Company Limited (pentest@sth.sh)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Focalboard", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mattermost-community/focalboard", "name": "Focalboard Repository (Unmaintained)"}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-03T13:24:29.141Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25773", "state": "PUBLISHED", "dateUpdated": "2026-04-03T14:57:00.729Z", "dateReserved": "2026-04-03T13:10:59.186Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-03T13:24:29.141Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mattermost:focalboard:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "42087E46-C9CC-46D7-B424-55537457FE0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "responsibledisclosure@mattermost.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "id": "CVE-2026-25773", "lastModified": "2026-04-28T00:19:15.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T14:16:29.127", "references": [{"source": "responsibledisclosure@mattermost.com", "tags": ["Product"], "url": "https://github.com/mattermost-community/focalboard"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Focalboard", "source": "cna", "vendor": "Mattermost"}, "product": "focalboard", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-03T16:37:34.065932+00:00", "value": {"mitigation_remediation": ["Disallow or restrict access to the category reorder endpoint for non\u2011essential users.", "Validate and sanitize the category ID input on the server side before it is used in any SQL statement.", "Refactor database access to use parameterized queries or an ORM that automatically escapes inputs.", "Because the product is unsupported, consider migrating to an actively maintained solution or replacing the affected components.", "Monitor application logs for unusual query patterns that could indicate an injection attempt.", "If immediate migration is not possible, isolate the system from external network traffic and enforce strict network segmentation."], "summary": {"action": "Monitor", "impact": "Data Exfiltration"}, "threat_synthesis": {"affected_systems": "The affected product is Mattermost Focalboard, and the vulnerability applies specifically to version 8.0. The standalone product is no longer maintained and no fix will be released. Any deployment of this version that allows authenticated access to the category reorder API is impacted.", "description_and_impact": "A second\u2011order SQL injection vulnerability exists in the category reorder endpoint of Focalboard version 8.0. An attacker who is authenticated can add a malicious SQL payload to the category identifier field. The payload is stored in the database and later executed unsanitized when the reorder API processes the stored value. This time\u2011based blind injection can retrieve sensitive data, including password hashes of other users. The flaw is a classic SQL injection weakness (CWE\u201189).", "risk_and_exploitability": "The CVSS base score of 8.1 marks this flaw as high severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because an attacker must be authenticated to trigger the injection, the attack vector is localhost or within the trusted environment of the application. Once exploited, the attacker can read confidential data from the database, potentially leading to credential compromise and further lateral movement. No official patch is available, so the risk remains significant for any vulnerable installation."}}}}, "created": "2026-04-03T21:14:19.485861+00:00", "updated": "2026-04-03T21:16:35.363684+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$focalboard"]}