VYPR
patchPublished Jun 26, 2026· Updated Jun 30, 2026· 1 source

Cacti: 15 Vulnerabilities Including RCE and SQLi Disclosed in Coordinated Batch

Key findings • 15 vulnerabilities in Cacti versions 1.2.30 and prior disclosed between June 24-26, 2026. • Flaws include SQL injection, command injection, RCE, XSS, path traversal, and open r…

Key findings

  • 15 vulnerabilities in Cacti versions 1.2.30 and prior disclosed between June 24-26, 2026.
  • Flaws include SQL injection, command injection, RCE, XSS, path traversal, and open redirect.
  • SQL injection vulnerabilities affect reporting, graph viewing, and package import features.
  • Command injection and RCE linked to RRDtool execution and graph image handling.
  • All 15 vulnerabilities are fixed in Cacti version 1.2.31.

On June 24-26, 2026, a significant batch of 15 vulnerabilities was disclosed for the Cacti network monitoring system. These vulnerabilities, affecting versions 1.2.30 and prior, span a range of critical security flaws including SQL injection, command injection, cross-site scripting (XSS), path traversal, and open redirect. The coordinated disclosure highlights a pressing need for users to update their Cacti installations to version 1.2.31 or later to mitigate these risks.

Several vulnerabilities revolve around SQL injection, a common and dangerous attack vector. CVE-2026-39951 and CVE-2026-39955 detail stored and pre-authentication SQL injection flaws, respectively, within the Reports and graph viewing features. Additionally, CVE-2026-39948 and CVE-2026-39893 expose pre-authentication SQL injection vulnerabilities through the 'rfilter' parameter in RLIKE clauses, which are used in graph viewing functionalities. Another SQL injection vulnerability, CVE-2026-40083, arises from unsanitized unserialize and implode functions in managers.php.

Beyond SQL injection, command injection and remote code execution (RCE) are also present. CVE-2026-39938 describes an unauthenticated RCE vulnerability related to graph image handling, while CVE-2026-40079 details a command injection flaw stemming from a no-op escape_command() function used in RRDtool execution.

Cross-site scripting (XSS) vulnerabilities were also identified. CVE-2026-39900 involves a reflected XSS via the 'tab' parameter in auth_profile.php, exploitable within a JavaScript context. Similarly, CVE-2026-39897 points to a reflected XSS vulnerability in the html_auth_footer.

Path traversal vulnerabilities are another concern. CVE-2026-40084 highlights a path traversal flaw in lib/html_reports.php that allows arbitrary file reads, and CVE-2026-39899 details a path traversal vulnerability in package_import.php. Furthermore, CVE-2026-40941 describes a package import signature validation bypass, allowing for self-signed packages.

The batch also includes an open redirect vulnerability (CVE-2026-40080) due to improper handling of the referer header, and a session fixation vulnerability (CVE-2026-40082) caused by the missing session_regenerate_id() call after login. Lastly, CVE-2026-39894 points to a locale-dependent decimal formatting issue in RRDtool metric updates that can corrupt data.

All 15 vulnerabilities were fixed in Cacti version 1.2.31. Users are strongly advised to update immediately to prevent potential exploitation of these diverse security weaknesses. The coordinated disclosure of these flaws underscores the importance of timely patching for network monitoring infrastructure.

The disclosure window for this batch of vulnerabilities spanned from June 24, 2026, to June 26, 2026. All reported issues affect Cacti versions 1.2.30 and prior. The fix for all these vulnerabilities is available in Cacti version 1.2.31.

This extensive set of vulnerabilities, affecting critical areas such as authentication, reporting, and core data processing, presents a significant risk to Cacti users. Promptly applying the security update is crucial to safeguard network data and system integrity.

Key findings from this batch include:

  • Multiple SQL injection flaws, including pre-authentication and stored variants, affecting reporting and graph features.
  • Command injection and unauthenticated RCE vulnerabilities tied to RRDtool execution and graph image handling.
  • Path traversal and signature validation bypass issues in package import and report generation.
  • Reflected XSS and session fixation vulnerabilities impacting user authentication and session management.
  • All 15 disclosed vulnerabilities are addressed in Cacti version 1.2.31.

The diverse nature of these vulnerabilities, ranging from data manipulation to code execution, necessitates immediate attention from Cacti administrators. Staying updated with security patches is paramount for maintaining a secure network infrastructure.

The Cacti team has addressed these issues comprehensively in version 1.2.31, providing a single update to cover all reported CVEs. This highlights the importance of the vendor's commitment to security and the need for users to adopt the latest stable release.

The coordinated disclosure of these 15 vulnerabilities emphasizes the interconnectedness of security flaws within a single software version. Users should consider this batch a critical reminder to maintain a robust patch management strategy for all their software, especially critical infrastructure components like Cacti.

The vulnerabilities disclosed include: CVE-2026-40941, CVE-2026-40084, CVE-2026-40082, CVE-2026-40080, CVE-2026-40083, CVE-2026-40079, CVE-2026-39951, CVE-2026-39948, CVE-2026-39955, CVE-2026-39938, CVE-2026-39900, CVE-2026-39899, CVE-2026-39897, CVE-2026-39894, CVE-2026-39893.

Synthesized by Vypr AI