CVE-2021-39165

HIGH8.1EPSS 80.4%

Unauthenticated SQL Injection in Cachet

Published: 8/30/2021Modified: 3/13/2026

Description

### Impact In Cachet versions through 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. ### Patches The original repository of [https://github.com/CachetHQ/Cachet](https://github.com/CachetHQ/Cachet) is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected. Update to version 2.5 or later in the [https://github.com/fiveai/Cachet fork](https://github.com/fiveai/Cachet) to fix this vulnerability.

Affected packages (1)

Packagist/cachethq/cachetfrom 0, <= 2.3.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39165
WEBhttps://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
WEBhttps://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc