CVE-2026-25773 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 3, 2026
Focalboard - SQL Injection
Published: April 3, 2026Updated: April 3, 2026Remote Exploitable
Overview
Focalboard 8.0 contains a second-order SQL injection caused by unsanitized category IDs in dynamic SQL statements during category reorder, letting authenticated attackers exfiltrate sensitive data including password hashes.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers can exfiltrate sensitive data such as password hashes, leading to potential account compromise.
Mitigation
No fix available; consider migrating to a maintained alternative or applying custom patches.
Related Resources
Details
- CVE ID
- CVE-2026-25773
- Severity
- High
- CVSS Score
- 8.1
- Type
- sql_injection
- Status
- unconfirmed
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N