Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
Published: 2026-06-24
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cacti, an open‑source performance and fault management system, has a stored SQL injection flaw in its Reports feature through the graph_name_regexp parameter. An attacker who can supply a crafted value for this parameter can inject arbitrary SQL statements into the underlying query, enabling the attacker to read, modify, or delete data stored in the database. If the database accounts used by the application have elevated privileges, the injection could be leveraged to compromise the entire system.

Affected Systems

The vulnerability affects all installations of Cacti version 1.2.30 and earlier. The defect was fixed in Cacti 1.2.31 and subsequent releases. All deployments using the Reports feature are at risk.

Risk and Exploitability

The CVSS score of 7.6 categorises the defect as high severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have access to the Cacti web interface for the Reports page, where they can submit the graph_name_regexp value. If the application runs with high‑privilege database credentials, the injected code could provide the attacker with read or write access to sensitive data or enable further exploitation.

Generated by OpenCVE AI on June 25, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cacti application to version 1.2.31 or later to apply the vendor patch.
  • If an upgrade cannot be performed immediately, limit or disable access to the Reports feature for users who do not require it.
  • Implement input validation or sanitization for the graph_name_regexp parameter and ensure that database accounts used by Cacti employ the principle of least privilege.

Generated by OpenCVE AI on June 25, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
Title Cacti: Stored SQL Injection via graph_name_regexp in Reports feature
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T23:14:39.024Z

Reserved: 2026-04-07T22:40:33.821Z

Link: CVE-2026-39951

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:15:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')