Cacti Cross-site Scripting vulnerability when managing trees
Description
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping in device and tree management fields allows stored XSS."
Attack vector
An attacker with high-level permissions logs into Cacti and navigates to Management > Devices to create a new device. In the "Description" and "Hostname" fields, a malicious XSS payload is entered and saved. The attacker then goes to Management > Trees, enters a tree name, and under "Available Sites" navigates through sub-tabs, which triggers the stored script. The payload executes in the browsers of users who access the affected tree management page, potentially leading to session hijacking or cookie theft [ref_id=1].
Affected code
The advisory [ref_id=1] identifies that the vulnerability is triggered when managing trees in Cacti. Specifically, the "Description" and "Hostname" fields of a Device, and the "Tree Name" field, are not properly sanitized, allowing stored XSS payloads to be injected.
What the fix does
Version 1.2.27 contains a patch for the issue [ref_id=1]. The advisory recommends input sanitization and escaping to cleanse user inputs of malicious code, limiting the use of inline JavaScript, and ensuring proper output escaping for data retrieved from databases [ref_id=1]. No specific patch diff is provided in the bundle.
Preconditions
- authAttacker must have a user account with high-level permissions (e.g., ability to create devices and manage trees)
- networkAttacker must be able to access the Cacti web interface
- inputAttacker must input a malicious XSS payload into the Description, Hostname, or Tree Name fields
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/Cacti/cacti/security/advisories/GHSA-j868-7vjp-rp9hmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.