CVE-2026-25773Mattermost · Focalboard
Vulnerability data via NVD (ingested)
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-25773product:"Mattermost Focalboard" version:"8.0.0"http.html:"Focalboard"More intel sources (5)
vuln:CVE-2026-25773vulnerabilities.cve_id: CVE-2026-25773CVE-2026-25773CVE-2026-25773"CVE-2026-25773" exploit -site:nvd.nist.gov