CVE-2026-25773

High

Published: 03 April 2026

Published

03 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 1.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25773 is a high-severity SQL Injection (CWE-89) vulnerability in Mattermost Focalboard. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of category ID inputs to reject malicious SQL injection payloads before storage or execution in dynamic SQL statements.

SA-22 Unsupported System Components good match

prevent

Prohibits use of unsupported Focalboard v8.0 components, preventing exploitation of the unpatched second-order SQL injection vulnerability.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of the SQL injection flaw through patches or compensating controls.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

SQL injection in network-accessible web app directly enables exploitation of public-facing application (T1190) and credential access via password hash exfiltration (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in…

the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

Deeper analysisAI

CVE-2026-25773 is a second-order time-based blind SQL injection vulnerability (CWE-89) affecting Focalboard version 8.0. The flaw occurs because the application fails to sanitize category IDs before incorporating them into dynamic SQL statements during the category reordering process. An attacker can inject a malicious SQL payload into the category ID field, which gets stored in the database and later executed unsanitized by the category reorder API.

An authenticated attacker with low privileges can exploit this vulnerability over the network with no user interaction required. Successful exploitation allows exfiltration of sensitive data from the database, including password hashes of other users, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Focalboard as a standalone product is unsupported and not maintained, so no patch or fix will be issued. Security practitioners should consult the project's GitHub repository at https://github.com/mattermost-community/focalboard for any additional context on this CVE.