Cacti SQL Injection vulnerability in lib/html_form_templates.php by reading dirty data stored in database
Description
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in form_save() function in graph_template_inputs.php is not thoroughly checked and is used to concatenate the SQL statement in draw_nontemplated_fields_graph_item() function from lib/html_form_templates.php , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `column_name` field stored in the `graph_template_input` table is not sanitized before being concatenated directly into an SQL statement in `draw_nontemplated_fields_graph_item()`."
Attack vector
An attacker first submits a crafted POST request to `graph_template_inputs.php` with a malicious `column_name` value (e.g., `id FROM host AS gti;DELETE FROM sessions WHERE 1;#`). This dirty data is stored in the `graph_template_input` table. Subsequently, an administrator-level user triggers the vulnerable code path by accessing `graphs.php?action=graph_edit&id=1`, which calls `draw_nontemplated_fields_graph_item()` and concatenates the unsanitized `column_name` into an SQL query, executing the injected payload. [ref_id=1]
Affected code
The vulnerability resides in the `form_save()` function in `graph_template_inputs.php` and the `draw_nontemplated_fields_graph_item()` function in `lib/html_form_templates.php`. The `column_name` field stored in the `graph_template_input` database table is not thoroughly sanitized before being concatenated into an SQL statement, leading to SQL injection.
What the fix does
The patch in version 1.2.27 adds proper input validation and sanitization for the `column_name` field before it is used in SQL concatenation. By ensuring that user-supplied data cannot contain SQL metacharacters or arbitrary SQL fragments, the fix prevents an attacker from injecting malicious SQL statements through the form template input mechanism. [ref_id=1]
Preconditions
- authThe attacker must be able to submit a POST request to graph_template_inputs.php (no administrator privileges required for storage).
- authAn administrator must access graphs.php?action=graph_edit with the affected graph ID to trigger the vulnerable code path.
- inputThe malicious column_name value must be 50 characters or fewer due to the field length limit.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.