#1140813 cacti: CVE-2026-39893 CVE-2026-39894 CVE-2026-39897 CVE-2026-39899 CVE-2026-39900 CVE-2026-39938 CVE-2026-39948 CVE-2026-39951 CVE-2026-39955 CVE-2026-40079 CVE-2026-40080 CVE-2026-40082 CVE-2026-40083 CVE-2026-40084 CVE-2026-40941

Package:
src:cacti
Source:
src:cacti
Submitter:
Salvatore Bonaccorso
Date:
2026-06-26 20:11:02 UTC
Severity:
normal
Tags:
#1140813#5
Date:
2026-06-26 20:07:59 UTC
From:
To:
Hi,

The following vulnerabilities were published for cacti.

CVE-2026-39893[0]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and prior, the rfilter request variable was
| concatenated into a RLIKE SQL clause without sanitization. The
| endpoint does not require authentication (graph viewing supports
| guest access via the configured guest user), so the SQLi was
| reachable pre-auth on installs with guest viewing enabled. This
| issue was fixed in version 1.2.31.


CVE-2026-39894[1]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and below, the locale-dependent decimal
| formatting in rrdtool_function_update() can corrupt RRDtool metric
| values. The rrdtool_function_update() function checks metric values
| with is_numeric() and concatenates them into the RRDtool update
| command via PHP string interpolation. PHP's string cast of floats is
| locale-sensitive: if LC_NUMERIC uses comma as decimal separator
| (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as
| decimal separator, causing metric data to shift into wrong columns
| or be silently dropped. No setlocale() reset is present in the
| update path. This causes a data integrity issue, but is not remotely
| exploitable; it requires server locale misconfiguration. The issue
| has been fixed in version 1.2.31.


CVE-2026-39897[2]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and below contain a Reflected XSS vulnerability in
| the html_auth_footer. This issue has been fixed in version 1.2.31.


CVE-2026-39899[3]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Path Traversal via
| filename parameter in package_import.php. This issue has been fixed
| in version 1.2.31.


CVE-2026-39900[4]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab
| parameter in the auth_profile.php JavaScript context. This issue has
| been fixed in version 1.2.31.


CVE-2026-39938[5]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have unauthenticated LFI through
| graph_theme and rrdtool IPC serialization hardening. This issue has
| been resolved in version 1.2.31.


CVE-2026-39948[6]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and prior, the rfilter request parameter is
| retrieved via the raw accessor grv() (rather than gfrv() with
| FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into
| RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which
| are reachable pre-authentication through graph_view.php on
| installations with guest graph viewing enabled. Because the
| unbalanced-quote payload bypasses the regex validation that would
| otherwise reject it, an unauthenticated attacker can inject
| arbitrary SQL to compromise the confidentiality, integrity, and
| availability of the database. This advisory is similar to GHSA-69gg-
| mjfm-jjpc. This issue has been fixed in version 1.2.31.


CVE-2026-39951[7]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have a Stored SQL Injection vulnerability
| through graph_name_regexp in the Reports feature. This issue has
| been fixed in version 1.2.31.


CVE-2026-39955[8]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have pre-authentication SQL Injection via
| unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has
| been fixed in version 1.2.31.


CVE-2026-40079[9]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Command Injection due to
| lack of sanitization in the escape_command() function. The
| escape_command() function at lib/rrd.php is a no-op: it returns
| $command unchanged. The command line built by
| rrdtool_function_graph() is passed through this function and then to
| shell_exec($full_commandline). The risk is in __rrd_execute() where
| text_format values from graph templates (which may contain host
| variable substitutions) reach shell_exec without adequate escaping.
| This issue has been addressed in version 1.2.31.


CVE-2026-40080[10]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Open Redirect through a
| substring check rather than a host check at str_contains($referer,
| CACTI_PATH_URL). When the user's login_opts == '1' (redirect to
| referer after login), the function used $_SERVER['HTTP_REFERER']
| directly.  An attacker could craft a referer such as
| https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the
| substring matches and the user is redirected to evil.com after
| login. The pre-existing validate_redirect_url() helper at
| lib/html_utility.php performed proper validation but was not invoked
| from auth_login_redirect(). This issue has been fixed in version
| 1.2.31.


CVE-2026-40082[11]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have missing session_regenerate_id() after
| login, leading to Session Fixation. session_regenerate_id() is NOT
| called after successful login. The login flow at
| auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without
| rotating the session ID. The session cookie configuration is
| otherwise good (httponly=true, samesite=Strict, secure=true for
| HTTPS at include/global.php:513-537), but these do not prevent
| session fixation via same-site vectors. This issue has been fixed in
| version 1.2.31.


CVE-2026-40083[12]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have SQL Injection through unsanitized
| unserialize+implode in managers.php.  At line 756 of managers.php,
| the application assigns $selected_items by calling
| cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The
| cacti_unserialize() function calls unserialize() with
| allowed_classes set to false, which prevents object injection but
| still allows arbitrary string  arrays to be deserialized. Then, at
| lines 760 to 766, the deserialized array values are passed directly
| into db_execute('DELETE FROM snmpagent_managers  WHERE id IN (' .
| implode(',', $selected_items) . ')'), where they are imploded into
| the SQL statement without any integer validation, resulting in SQL
| Injection when using SNMP agent management permissions. This issue
| has been fixed in version 1.2.31.


CVE-2026-40084[13]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Path Traversal  through
| the Report format_file Parameter, causing arbitrary file read. This
| vulnerability occurs in two stages. In the first stage (stored
| injection), lib/html_reports.php at line 283 stores
| $save['format_file'] =  $post['format_file'] directly into the
| database without any validation. In the second stage (file read),
| lib/reports.php at line 667 concatenates  CACTI_PATH_FORMATS . '/' .
| $format_file, and line 670 then calls file($format_file), reading
| arbitrary files from the filesystem. This issue has been fixed in
| version 1.2.31.


CVE-2026-40941[14]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have a package import signature validation
| bypass allows which allows self-signed packages. This issue has been
| fixed in version 1.2.31.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39893
https://www.cve.org/CVERecord?id=CVE-2026-39893
[1] https://security-tracker.debian.org/tracker/CVE-2026-39894
https://www.cve.org/CVERecord?id=CVE-2026-39894
[2] https://security-tracker.debian.org/tracker/CVE-2026-39897
https://www.cve.org/CVERecord?id=CVE-2026-39897
[3] https://security-tracker.debian.org/tracker/CVE-2026-39899
https://www.cve.org/CVERecord?id=CVE-2026-39899
[4] https://security-tracker.debian.org/tracker/CVE-2026-39900
https://www.cve.org/CVERecord?id=CVE-2026-39900
[5] https://security-tracker.debian.org/tracker/CVE-2026-39938
https://www.cve.org/CVERecord?id=CVE-2026-39938
[6] https://security-tracker.debian.org/tracker/CVE-2026-39948
https://www.cve.org/CVERecord?id=CVE-2026-39948
[7] https://security-tracker.debian.org/tracker/CVE-2026-39951
https://www.cve.org/CVERecord?id=CVE-2026-39951
[8] https://security-tracker.debian.org/tracker/CVE-2026-39955
https://www.cve.org/CVERecord?id=CVE-2026-39955
[9] https://security-tracker.debian.org/tracker/CVE-2026-40079
https://www.cve.org/CVERecord?id=CVE-2026-40079
[10] https://security-tracker.debian.org/tracker/CVE-2026-40080
https://www.cve.org/CVERecord?id=CVE-2026-40080
[11] https://security-tracker.debian.org/tracker/CVE-2026-40082
https://www.cve.org/CVERecord?id=CVE-2026-40082
[12] https://security-tracker.debian.org/tracker/CVE-2026-40083
https://www.cve.org/CVERecord?id=CVE-2026-40083
[13] https://security-tracker.debian.org/tracker/CVE-2026-40084
https://www.cve.org/CVERecord?id=CVE-2026-40084
[14] https://security-tracker.debian.org/tracker/CVE-2026-40941
https://www.cve.org/CVERecord?id=CVE-2026-40941

Regards,
Salvatore