Cacti XSS vulnerability in lib/html_tree.php by reading dirty data stored in database
Description
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in form_save() function in data_queries.php is not thoroughly checked and is used to concatenate the HTML statement in grow_right_pane_tree() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the `name` field from the `snmp_query` database table before concatenation into HTML output."
Attack vector
An attacker with template-editor access (no administrator privileges required) POSTs a crafted `name` field containing JavaScript to `data_queries.php?action=save` [ref_id=2]. When a normal user subsequently views a graph tree via `graph_view.php?action=tree_content`, the unescaped name is concatenated into the HTML output, executing the attacker's script in the victim's browser [CWE-79].
Affected code
The vulnerability resides in `form_save()` in `data_queries.php` (writing) and `grow_right_pane_tree()` in `lib/html.php` (reading). The patch adds `html_escape()` calls around the `$name` variable in three branches of `grow_right_pane_tree()` [ref_id=1].
What the fix does
The patch inserts `$name = html_escape($name);` before each of the three places where `$name` is concatenated into `$host_group_data_name` [ref_id=1]. This ensures any HTML or JavaScript embedded in the `name` field of the `snmp_query` table is escaped to harmless text, preventing XSS.
Preconditions
- authAttacker must have template-editor access (non-admin) to POST to data_queries.php
- inputVictim must visit graph_view.php with a tree node referencing the poisoned data query
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cfmitrex_refsource_MISC
- github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3mitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/mitre
News mentions
0No linked articles in our index yet.