CVE-2026-40941
- EPSS 0.16%
- Veröffentlicht 25.06.2026 23:01:30
- Zuletzt bearbeitet 29.06.2026 18:47:08
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
CVE-2026-40084
- EPSS 0.32%
- Veröffentlicht 25.06.2026 22:43:47
- Zuletzt bearbeitet 29.06.2026 18:48:17
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the fir...
CVE-2026-40083
- EPSS 0.28%
- Veröffentlicht 25.06.2026 22:39:17
- Zuletzt bearbeitet 30.06.2026 05:18:56
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling...
CVE-2026-40082
- EPSS 0.18%
- Veröffentlicht 25.06.2026 22:33:45
- Zuletzt bearbeitet 29.06.2026 18:50:31
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow ...
CVE-2026-40080
- EPSS 0.15%
- Veröffentlicht 25.06.2026 22:29:51
- Zuletzt bearbeitet 29.06.2026 18:52:43
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == ...
CVE-2026-40079
- EPSS 0.92%
- Veröffentlicht 24.06.2026 23:26:40
- Zuletzt bearbeitet 26.06.2026 00:16:51
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is a no-op: i...
CVE-2026-39948
- EPSS 0.42%
- Veröffentlicht 24.06.2026 23:16:40
- Zuletzt bearbeitet 26.06.2026 05:16:27
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated dir...
CVE-2026-39955
- EPSS 0.32%
- Veröffentlicht 24.06.2026 23:16:40
- Zuletzt bearbeitet 26.06.2026 05:16:27
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
CVE-2026-39951
- EPSS 0.19%
- Veröffentlicht 24.06.2026 23:14:39
- Zuletzt bearbeitet 26.06.2026 19:16:40
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
CVE-2026-39938
- EPSS 0.44%
- Veröffentlicht 24.06.2026 22:41:04
- Zuletzt bearbeitet 26.06.2026 05:16:26
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.