CVE-2026-25773

Name of the Vulnerable Software and Affected Versions Focalboard version 8.0

Description Focalboard version 8.0 does not properly sanitize category IDs before using them in SQL queries when reordering categories. This can allow an attacker to inject malicious SQL code into the category ID field, which is then executed without proper sanitization when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) could allow an authenticated attacker to obtain sensitive data, including password hashes of other users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.