Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A web‑based application that monitors network performance contains a reflected cross‑site scripting flaw in the footer of its authentication interface. When a user visits the page, a malicious string supplied by an attacker can be echoed into the page and executed as JavaScript. The flaw is a classic reflected XSS as defined by CWE‑79 and could let an attacker hijack the user’s session, steal credentials, or perform other malicious actions within the context of the victim’s browser. No direct remote code execution on the server side is described, but the impact on confidentiality, integrity, and availability is limited to the browser session of the victim.

Affected Systems

Cacti 1.2.30 and earlier versions are affected by the vulnerability, while the bug was corrected in 1.2.31 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not reported, so the exploit probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. It is likely exploitable through the public authentication page, where the attacker can craft a URL that causes the malicious payload to be reflected in the page. No privileged access or additional prerequisites are mentioned, so the attack vector is straightforward for an unauthenticated user who can reach the login page.

Generated by OpenCVE AI on June 24, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later, which removes the unsanitized footer output.
  • If an immediate upgrade is not possible, ensure that any content inserted into the html_auth_footer is fully escaped or filtered to prevent script execution.
  • Implement a Content Security Policy that restricts inline scripts and disallows loading of JavaScript from untrusted sources to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 24, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.
Title Cacti has a Reflected XSS Vulnerability via html_auth_footer
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T22:00:56.414Z

Reserved: 2026-04-07T20:32:03.012Z

Link: CVE-2026-39897

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')