### Impact
In Cachet versions through 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session.

### Patches

The original repository of [https://github.com/CachetHQ/Cachet](https://github.com/CachetHQ/Cachet) is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.

Update to version 2.5 or later in the [https://github.com/fiveai/Cachet fork](https://github.com/fiveai/Cachet) to fix this vulnerability.

Affected Packages

Packagist cachethq/cachet

Affected versions: 0 (last affected: 2.3.18)

Related CVEs

CVE-2021-39165

Key Information

GHSA ID

GHSA-79mg-4w23-4fqc

Published

August 30, 2021 4:12 PM

Last Modified

August 27, 2021 12:54 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

cachethq/cachet

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.