QSearchQSearch

CVE-2021-39172

8.8 HIGH

Cachet is an open source status page system

Published: 2021-08-27 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.8 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-93

Affected products

VendorProduct
catchethqcatchet

Description

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-39174 Cachet is an open source status page system (8.8 HIGH)
  • CVE-2021-39173 Cachet is an open source status page system (8.8 HIGH)

Same CWE

  • CVE-2026-12143 form-data is a library for creating readable multipart/form-data streams (7.5 HIGH)
  • CVE-2026-50629 The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing ... (5.3 MEDIUM)
  • CVE-2026-49214 guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP (5.3 MEDIUM)
  • CVE-2026-50639 Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
  • CVE-2026-50638 Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections (9.1 CRITICAL)