CVE-2026-39900
- EPSS 0.27%
- Veröffentlicht 24.06.2026 22:37:17
- Zuletzt bearbeitet 25.06.2026 15:00:28
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in version 1.2.31.
CVE-2026-39899
- EPSS 0.34%
- Veröffentlicht 24.06.2026 22:33:14
- Zuletzt bearbeitet 26.06.2026 00:16:51
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.
CVE-2026-39893
- EPSS 0.38%
- Veröffentlicht 24.06.2026 22:16:46
- Zuletzt bearbeitet 26.06.2026 05:16:26
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing ...
CVE-2026-39894
- EPSS 0.12%
- Veröffentlicht 24.06.2026 22:16:46
- Zuletzt bearbeitet 25.06.2026 20:19:35
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks me...
CVE-2026-39897
- EPSS 0.27%
- Veröffentlicht 24.06.2026 22:16:46
- Zuletzt bearbeitet 25.06.2026 15:04:26
Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.
CVE-2025-45160
- EPSS 0.2%
- Veröffentlicht 29.01.2026 00:00:00
- Zuletzt bearbeitet 15.04.2026 00:35:42
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a resu...
CVE-2025-66399
- EPSS 10.94%
- Veröffentlicht 02.12.2025 17:57:11
- Zuletzt bearbeitet 05.12.2025 18:57:11
Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing co...
CVE-2005-10004
- EPSS 1.78%
- Veröffentlicht 30.08.2025 13:45:16
- Zuletzt bearbeitet 26.12.2025 16:42:27
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rende...
CVE-2025-26520
- EPSS 0.45%
- Veröffentlicht 12.02.2025 07:15:08
- Zuletzt bearbeitet 12.02.2025 07:15:08
Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.
CVE-2025-24367
- EPSS 54.02%
- Veröffentlicht 27.01.2025 18:15:42
- Zuletzt bearbeitet 03.11.2025 22:18:40
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execu...