Vendor CVEs
Cacti (software)
All CVEs
171 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-29895 | Cri | 0.65 | 10.0 | 0.94 | May 14, 2024 | Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php`… | ||
| CVE-2017-12065 | Cri | 0.64 | 9.8 | 0.03 | Aug 1, 2017 | spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. | ||
| CVE-2014-4000 | Hig | 0.57 | 8.8 | 0.02 | Nov 15, 2017 | Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). | ||
| CVE-2017-1000031 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. | ||
| CVE-2016-2313 | Hig | 0.57 | 8.8 | 0.03 | Apr 13, 2016 | auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. | ||
| CVE-2016-3172 | Hig | 0.57 | 8.8 | 0.03 | Apr 12, 2016 | SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. | ||
| CVE-2015-8604 | Hig | 0.57 | 8.8 | 0.02 | Apr 11, 2016 | SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action. | ||
| CVE-2016-3659 | Hig | 0.57 | 8.8 | 0.02 | Apr 11, 2016 | SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter. | ||
| CVE-2016-10700 | Hig | 0.50 | 8.8 | 0.02 | Nov 24, 2017 | auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an… | ||
| CVE-2017-16660 | Hig | 0.47 | 7.2 | 0.04 | Nov 8, 2017 | Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header. | ||
| CVE-2017-16641 | Hig | 0.47 | 7.2 | 0.03 | Nov 7, 2017 | lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. | ||
| CVE-2017-16785 | Med | 0.40 | 6.1 | 0.01 | Nov 10, 2017 | Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. | ||
| CVE-2017-15194 | Med | 0.40 | 6.1 | 0.01 | Oct 11, 2017 | include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. | ||
| CVE-2017-12927 | Med | 0.40 | 6.1 | 0.01 | Aug 18, 2017 | A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. | ||
| CVE-2017-1000032 | Med | 0.40 | 6.1 | 0.01 | Jul 17, 2017 | Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. | ||
| CVE-2025-45160 | Med | 0.35 | 5.4 | 0.00 | Jan 29, 2026 | A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject… | ||
| CVE-2018-10061 | Med | 0.35 | 5.4 | 0.01 | Apr 12, 2018 | Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). | ||
| CVE-2018-10060 | Med | 0.35 | 5.4 | 0.01 | Apr 12, 2018 | Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. | ||
| CVE-2018-10059 | Med | 0.35 | 5.4 | 0.01 | Apr 12, 2018 | Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. | ||
| CVE-2017-12978 | Med | 0.35 | 5.4 | 0.01 | Aug 21, 2017 | lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. | ||
| CVE-2017-12066 | Med | 0.35 | 5.4 | 0.01 | Aug 1, 2017 | Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists… | ||
| CVE-2017-11691 | Med | 0.35 | 5.4 | 0.02 | Jul 27, 2017 | Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. | ||
| CVE-2017-11163 | Med | 0.35 | 5.4 | 0.01 | Jul 10, 2017 | Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. | ||
| CVE-2017-10970 | Med | 0.35 | 5.4 | 0.01 | Jul 6, 2017 | Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php. | ||
| CVE-2024-30268 | Med | 0.33 | 6.1 | 0.01 | May 14, 2024 | Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in… | ||
| CVE-2017-16661 | Med | 0.32 | 4.9 | 0.01 | Nov 8, 2017 | Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd. | ||
| CVE-2022-46169 | 0.23 | — | 1.00 | KEV | Dec 5, 2022 | Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if… | ||
| CVE-2024-25641 | 0.10 | — | 0.86 | May 13, 2024 | Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP… | |||
| CVE-2023-49085 | 0.10 | — | 0.85 | Dec 22, 2023 | Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the… | |||
| CVE-2023-49084 | 0.10 | — | 0.64 | Dec 21, 2023 | Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server.… | |||
| CVE-2023-39362 | 0.10 | — | 0.82 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code… | |||
| CVE-2020-8813 | 0.10 | — | 0.74 | Feb 22, 2020 | graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. | |||
| CVE-2020-14295 | 0.09 | — | 0.86 | Jun 17, 2020 | A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | |||
| CVE-2005-10004 | 0.08 | — | 0.02 | Aug 30, 2025 | Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows… | |||
| CVE-2025-24367 | 0.07 | — | 0.51 | Jan 27, 2025 | Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This… | |||
| CVE-2023-39361 | 0.07 | — | 0.88 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an… | |||
| CVE-2024-43363 | 0.06 | — | 0.36 | Oct 7, 2024 | Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps… | |||
| CVE-2023-30534 | 0.04 | — | 0.03 | Sep 5, 2023 | Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included,… | |||
| CVE-2006-0146 | 0.04 | — | 0.13 | Jan 9, 2006 | The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to… | |||
| CVE-2006-0147 | 0.04 | — | 0.13 | Jan 9, 2006 | Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote… | |||
| CVE-2005-1524 | 0.04 | — | 0.16 | Jun 22, 2005 | PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter. | |||
| CVE-2005-1526 | 0.04 | — | 0.17 | Jun 22, 2005 | PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter. | |||
| CVE-2024-54146 | 0.03 | — | 0.39 | Jan 27, 2025 | Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29. | |||
| CVE-2023-51448 | 0.03 | — | 0.09 | Dec 22, 2023 | Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities”… | |||
| CVE-2020-7237 | 0.03 | — | 0.37 | Jan 20, 2020 | Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify… | |||
| CVE-2014-4644 | 0.03 | — | 0.01 | Jun 25, 2014 | SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-2544 | 0.03 | — | 0.04 | Aug 23, 2010 | Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. | |||
| CVE-2010-2543 | 0.03 | — | 0.04 | Aug 23, 2010 | Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for… | |||
| CVE-2010-1431 | 0.03 | — | 0.04 | May 4, 2010 | SQL injection vulnerability in templates_export.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the export_item_id parameter. | |||
| CVE-2009-4032 | 0.03 | — | 0.06 | Nov 29, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by… |
- risk 0.65cvss 10.0epss 0.94
Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php`…
- risk 0.64cvss 9.8epss 0.03
spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
- risk 0.57cvss 8.8epss 0.02
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
- risk 0.57cvss 8.8epss 0.03
auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database.
- risk 0.57cvss 8.8epss 0.03
SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter.
- risk 0.50cvss 8.8epss 0.02
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerability exists because of an…
- risk 0.47cvss 7.2epss 0.04
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
- risk 0.47cvss 7.2epss 0.03
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.
- risk 0.40cvss 6.1epss 0.01
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
- risk 0.40cvss 6.1epss 0.01
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
- risk 0.40cvss 6.1epss 0.01
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
- risk 0.40cvss 6.1epss 0.01
Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php.
- risk 0.35cvss 5.4epss 0.00
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject…
- risk 0.35cvss 5.4epss 0.01
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
- risk 0.35cvss 5.4epss 0.01
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
- risk 0.35cvss 5.4epss 0.01
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
- risk 0.35cvss 5.4epss 0.01
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists…
- risk 0.35cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php.
- risk 0.33cvss 6.1epss 0.01
Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in…
- risk 0.32cvss 4.9epss 0.01
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
- risk 0.23cvss —epss 1.00
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if…
- CVE-2024-25641May 13, 2024risk 0.10cvss —epss 0.86
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP…
- CVE-2023-49085Dec 22, 2023risk 0.10cvss —epss 0.85
Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the…
- CVE-2023-49084Dec 21, 2023risk 0.10cvss —epss 0.64
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server.…
- CVE-2023-39362Sep 5, 2023risk 0.10cvss —epss 0.82
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code…
- CVE-2020-8813Feb 22, 2020risk 0.10cvss —epss 0.74
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
- CVE-2020-14295Jun 17, 2020risk 0.09cvss —epss 0.86
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
- CVE-2005-10004Aug 30, 2025risk 0.08cvss —epss 0.02
Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows…
- CVE-2025-24367Jan 27, 2025risk 0.07cvss —epss 0.51
Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This…
- CVE-2023-39361Sep 5, 2023risk 0.07cvss —epss 0.88
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an…
- CVE-2024-43363Oct 7, 2024risk 0.06cvss —epss 0.36
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps…
- CVE-2023-30534Sep 5, 2023risk 0.04cvss —epss 0.03
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. While a viable gadget chain exists in Cacti’s vendor directory (phpseclib), the necessary gadgets are not included,…
- CVE-2006-0146Jan 9, 2006risk 0.04cvss —epss 0.13
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to…
- CVE-2006-0147Jan 9, 2006risk 0.04cvss —epss 0.13
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote…
- CVE-2005-1524Jun 22, 2005risk 0.04cvss —epss 0.16
PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter.
- CVE-2005-1526Jun 22, 2005risk 0.04cvss —epss 0.17
PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter.
- CVE-2024-54146Jan 27, 2025risk 0.03cvss —epss 0.39
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.
- CVE-2023-51448Dec 22, 2023risk 0.03cvss —epss 0.09
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities”…
- CVE-2020-7237Jan 20, 2020risk 0.03cvss —epss 0.37
Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify…
- CVE-2014-4644Jun 25, 2014risk 0.03cvss —epss 0.01
SQL injection vulnerability in superlinks.php in the superlinks plugin 1.4-2 for Cacti allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-2544Aug 23, 2010risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.
- CVE-2010-2543Aug 23, 2010risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for…
- CVE-2010-1431May 4, 2010risk 0.03cvss —epss 0.04
SQL injection vulnerability in templates_export.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the export_item_id parameter.
- CVE-2009-4032Nov 29, 2009risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by…
Page 1 of 4