SQL Injection vulnerability when managing SNMP Notification Receivers
Description
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file ‘managers.php’. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/cacti/managers.php’ with an SQLi payload in the ‘selected_graphs_array’ HTTP GET parameter. As of time of publication, no patched versions exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9= 1.2.25+ 1 more
- (no CPE)range: = 1.2.25
- (no CPE)range: <= 1.2.25
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.26-bp155.2.6.1+ 6 more
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-1.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
Patches
Vulnerability mechanics
Root cause
"The application deserializes user-controlled input without proper sanitization, leading to SQL injection."
Attack vector
An authenticated attacker with the "Settings/Utilities" permission can send a crafted HTTP GET request to the `/cacti/managers.php` endpoint. The payload is delivered via the `selected_graphs_array` HTTP GET parameter, which is deserialized and then concatenated into a raw SQL query. The vulnerability occurs within the `form_actions` function in `managers.php` [ref_id=1].
Affected code
The vulnerability resides in the `form_actions` function within the file `managers.php`. Specifically, the code processes `selected_items` and `action_receivers` parameters, leading to deserialization of user-provided data. Functions like `get_nfilter_request_var` and `stripslashes` do not perform adequate sanitization before the data is passed to `cacti_unserialize` [ref_id=1].
What the fix does
As of the time of publication, no patched versions exist for this vulnerability. The advisory recommends that users upgrade to the latest version once available. The advisory does not specify the exact changes that will be made in a future patch [ref_id=1].
Preconditions
- authThe attacker must be authenticated and possess the "Settings/Utilities" permission.
- inputThe target table must contain at least one row for the injection to trigger.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/managers.phpmitrex_refsource_MISC
- github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594mitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/mitre
News mentions
0No linked articles in our index yet.