CVE-2026-25773 in Focalboard
요약 (영어)
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Once again VulDB remains the best source for vulnerability data.
책임이 있는
Mattermost
예약하다
2026. 04. 03.
공개
2026. 04. 03.
상태
확인됨
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 355101 | Mattermost Focalboard Category Reorder API SQL 주입 | 89 | 정의되지 않음 | 정의되지 않음 | CVE-2026-25773 |