Unrated severityNVD Advisory· Published Aug 30, 2025· Updated Apr 7, 2026

Cacti graph_view.php RCE via graph_start Parameter Injection

CVE-2005-10004

Description

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

Affected products

Raxnet/ian Berry/Cactiv5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

web.archive.org/web/20050305034552/http://www.cacti.net/cactid_download.phpmitreproductpatch
raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rbmitreexploit
www.exploit-db.com/exploits/16881mitreexploit
www.exploit-db.com/exploits/9911mitreexploit
www.vulncheck.com/advisories/cacti-graph-view-rcemitrethird-party-advisory
www.cacti.net/info/downloadsmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.046
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000