CVE-2018-20726
Description
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9release/1.0.0, release/1.0.1, release/1.0.2, …+ 1 more
- (no CPE)range: release/1.0.0, release/1.0.1, release/1.0.2, …
- (no CPE)range: <1.2.0
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.9-lp151.3.3.1+ 6 more
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the Website Hostname field value before rendering in the Tree table allows stored XSS."
Attack vector
An attacker with the ability to edit a Device's "Website Hostname" field can inject a JavaScript payload such as `<img src=xss onerror=alert(1)>` [ref_id=1]. When a victim visits `tree.php?action=edit&id=1`, the stored payload is rendered unsanitized in the Tree table, causing the script to execute in the victim's browser [ref_id=1]. No authentication bypass is needed — the attacker must have access to edit device settings.
Affected code
The vulnerability exists in `host.php` (via `tree.php`) in Cacti before 1.2.0. The "Website Hostname" field for Devices is stored without escaping, and when rendered in the Tree table the value is printed directly without sanitization [ref_id=1].
What the fix does
The commit [ref_id=2] applies `html_escape()` to user-supplied values before they are output in HTML context. For example, `$name` is wrapped with `html_escape($name)` and `$value` is passed through `form_selectable_ecell()` (which escapes its content) instead of `form_selectable_cell()`. This ensures that any HTML or JavaScript embedded in the Hostname field is rendered as plain text, preventing XSS.
Preconditions
- authAttacker must have privileges to edit a Device's Website Hostname field
- inputVictim must visit the tree.php page that renders the stored Hostname value
Reproduction
1. Navigate to `http://localhost:4040/cacti/host.php?action=edit&id=1` and set the Hostname field to `<img src=xss onerror=alert(1)>`. 2. Visit `http://localhost:4040/cacti/tree.php?action=edit&id=1` — the payload executes [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/Cacti/cacti/blob/develop/CHANGELOGmitrex_refsource_MISC
- github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102dmitrex_refsource_MISC
- github.com/Cacti/cacti/issues/2213mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.