Cyber Resilience

CVE-2026-25773

High

Published: 03 April 2026

Published
03 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0031 22.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25773 is a high-severity SQL Injection (CWE-89) vulnerability in Mattermost Focalboard. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25773 is a second-order time-based blind SQL injection vulnerability (CWE-89) affecting Focalboard version 8.0. The flaw occurs because the application fails to sanitize category IDs before incorporating them into dynamic SQL statements during the category reordering process. An attacker can inject a malicious SQL payload into the category ID field, which gets stored in the database and later executed unsanitized by the category reorder API.

An authenticated attacker with low privileges can exploit this vulnerability over the network with no user interaction required. Successful exploitation allows exfiltration of sensitive data from the database, including password hashes of other users, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Focalboard as a standalone product is unsupported and not maintained, so no patch or fix will be issued. Security practitioners should consult the project's GitHub repository at https://github.com/mattermost-community/focalboard for any additional context on this CVE.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in…

more

the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

SQL injection in network-accessible web app directly enables exploitation of public-facing application (T1190) and credential access via password hash exfiltration (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24490Same vendor: Mattermost
CVE-2018-25128Shared CWE-89
CVE-2025-20620Shared CWE-89
CVE-2026-32714Shared CWE-89
CVE-2025-14273Same vendor: Mattermost
CVE-2026-6957Same vendor: Mattermost
CVE-2025-20621Same vendor: Mattermost
CVE-2025-25279Same vendor: Mattermost
CVE-2025-25274Same vendor: Mattermost
CVE-2025-13523Same vendor: Mattermost

Affected Assets

mattermost
focalboard
8.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of category ID inputs to reject malicious SQL injection payloads before storage or execution in dynamic SQL statements.

prevent

Prohibits use of unsupported Focalboard v8.0 components, preventing exploitation of the unpatched second-order SQL injection vulnerability.

prevent

Mandates timely identification, reporting, and remediation of the SQL injection flaw through patches or compensating controls.

References