CVE-2026-39948 - Vulnerability Details

Description

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

Published: 2026-06-24

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Cacti versions 1.2.30 and earlier allow an unauthenticated SQL injection attack through the rfilter request parameter. The parameter is read via a raw accessor and inserted directly into RLIKE clauses in lib/html_graph.php and lib/html_tree.php. By crafting an unbalanced-quote payload that bypasses the intended regex validation, an attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database.

Affected Systems

The vulnerability affects the open source performance and fault management framework Cacti, specifically any installation running version 1.2.30 or earlier. The affected files are accessed through graph_view.php when guest graph viewing is enabled.

Risk and Exploitability

The CVSS score of 9.3 indicates a high‑severity risk. The vulnerability can be exploited without authentication on systems that permit guest graph viewing, meaning an external attacker can reach the vulnerable endpoints over the network. While the EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the combination of an unfiltered input, public reachability, and critical database impact make the exploit probability high for exposed deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cacti

cacti

affected

Version	Status	Constraints
`< 1.2.31`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cacti to version 1.2.31 or later, which removes the vulnerable rfilter handling.
Disable guest graph viewing to block unauthenticated access to the vulnerable graph_view.php endpoints.
Audit configuration files to ensure that raw accessors are not used in SQL statements or consult the vendor’s changelog for additional security hardening instructions.

Generated by OpenCVE AI on June 25, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Cacti/cacti/commit/136ae6ef0715e77bca69c0eb60781f5e17df0795
https://github.com/Cacti/cacti/security/advisories/GHSA-9jqv-4cpm-vm2c

History

Wed, 24 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.
Title		Cacti has SQL Injection via rfilter parameter in RLIKE clauses
Weaknesses		CWE-89
References		https://github.com/Cacti/cacti/commit/136ae6ef0715e77bca69c0eb60781f5e17df0795 https://github.com/Cacti/cacti/security/advisories/GHSA-9jqv-4cpm-vm2c
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T23:06:39.057Z

Updated: 2026-06-24T23:06:39.057Z

Reserved: 2026-04-07T22:40:33.821Z

Link: CVE-2026-39948

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object