Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a pre‑authentication SQL injection in the graph_view.php file of Cacti. An attacker can supply crafted input that bypasses the unanchored FILTER_VALIDATE_REGEXP validation and inject arbitrary SQL statements before any authentication is required. This flaw can allow an attacker to read, modify, or delete data stored in the database, which may lead to database compromise.

Affected Systems

Cacti – version 1.2.30 and earlier are affected. The problem is fixed in 1.2.31 and later releases. Only instances running the vulnerable Cacti code are at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of severity, and the lack of an EPSS score simply means no current estimate of exploit probability is available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is a network‑accessible HTTP request to graph_view.php with crafted query parameters, requiring no authentication. Successful exploitation would grant the attacker uncontrolled SQL execution on the Cacti database, potentially compromising confidential data.

Generated by OpenCVE AI on June 25, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later
  • Configure the web server to deny unauthenticated access to graph_view.php, restricting it to authenticated users only
  • Enable database query logging or intrusion detection to monitor suspicious queries and alert administrators of potential exploitation attempts

Generated by OpenCVE AI on June 25, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Title Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T22:49:13.948Z

Reserved: 2026-04-07T22:40:33.821Z

Link: CVE-2026-39955

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')