Unrated severityNVD Advisory· Published Jun 24, 2026

Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php

CVE-2026-39893

Description

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Cacti (software)/Cactillm-fuzzy
Range: <=1.2.30

Patches

Vulnerability mechanics

References

github.com/Cacti/cacti/pull/7039mitrex_refsource_MISC
github.com/Cacti/cacti/security/advisories/GHSA-69gg-mjfm-jjpcmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000