Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.
Published: 2026-06-24
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Path Traversal flaw exists in the filename parameter of Cacti's package_import.php. The vulnerability allows an attacker to override the intended file path and access arbitrary files on the server, potentially exposing sensitive configuration data or executing malicious code. The weakness corresponds to CWE-22, which focuses on improper validation of user-supplied input for file system access.

Affected Systems

The flaw affects all Cacti installations running version 1.2.30 and earlier. The vendor has released version 1.2.31, in which the issue has been addressed; users should verify that their instance matches or exceeds this version.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. No EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation activity. Attackers would likely need access to the web interface that hosts package_import.php, and the path traversal may require some level of authentication or prior knowledge of the vulnerable parameter. The exact exploitation steps are not detailed in the advisory, but an attacker could manipulate the filename parameter to read or write files outside the intended directory.

Generated by OpenCVE AI on June 24, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later
  • Restrict access to package_import.php so only trusted administrators can invoke it and implement input validation that rejects directory traversal sequences
  • Monitor web server logs for abnormal file access patterns or attempts to reach outside the allowed directories

Generated by OpenCVE AI on June 24, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.
Title Cacti: Path Traversal via filename parameter in package_import.php
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T22:33:14.099Z

Reserved: 2026-04-07T20:32:03.012Z

Link: CVE-2026-39899

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T23:30:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')