Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCacti
APPCacti< 1.2.29
π΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
Related vulnerabilities
CVE-2022-46169CRITICAL9.8β KEVten sam produkt
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault manag...
CVE-2026-39938CRITICAL9.8PL βten sam produkt
Niezautoryzowany path traversal i command injection w Cacti (LFI)
CVE-2026-39948CRITICAL9.3PL βten sam produkt
Cacti: Pre-auth SQL injection przez parametr rfilter (SQLi)
CVE-2026-39893CRITICAL9.8PL βten sam produkt
SQL Injection w Cacti β atak bez uwierzytelnienia przez parametr rfilter
CVE-2026-39955CRITICAL9.8PL βten sam produkt
SQL Injection przed uwierzytelnieniem w Cacti (graph_view.php)