CRITICAL🇵🇱 Wersja polska

CVE-2026-39893

CVSS 9.8v3.1pub. 2026-06-24upd. 2026-06-26

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

🤖 AI Analysis
How it works

The rfilter parameter passed in the HTTP request was directly concatenated into the SQL query in the RLIKE clause without any validation or parameterization (CWE-89). The endpoint responsible for viewing graphs supports guest access through a configured guest account, which means that an unauthenticated attacker can send a crafted request to an installation with guest viewing enabled. This allows execution of arbitrary SQL queries in the context of the application database.

Impact

An attacker without any authentication can gain unauthorized access to sensitive data stored in the database, modify it or destroy it, and depending on the database server configuration, potentially escalate access to the operating system.

Mitigation & patch

Cacti should be updated to version 1.2.31, in which the issue has been fixed. Until the update is applied, it is recommended to disable the guest access to graphs functionality (guest viewing) in the application configuration.

Who is affected

Cacti in versions 1.2.30 and earlier with guest viewing functionality enabled.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cacti

    APP
    Cacti
    < 1.2.31
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2022-46169CRITICAL9.8⚠ KEVten sam produkt

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault manag...

CVE-2026-39948CRITICAL9.3PL ✓ten sam produkt

Cacti: Pre-auth SQL injection przez parametr rfilter (SQLi)

CVE-2026-39955CRITICAL9.8PL ✓ten sam produkt

SQL Injection przed uwierzytelnieniem w Cacti (graph_view.php)

CVE-2026-39938CRITICAL9.8PL ✓ten sam produkt

Niezautoryzowany path traversal i command injection w Cacti (LFI)

CVE-2025-22604CRITICAL9.1PL ✓ten sam produkt

Cacti: Command Injection przez malformowane OID w parserze SNMP