Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a pre‑authentication SQL injection in the graph_view.php file of Cacti. An attacker can supply crafted input that bypasses the unanchored FILTER_VALIDATE_REGEXP validation and inject arbitrary SQL statements before any authentication is required. This flaw can allow an attacker to read, modify, or delete data stored in the database, which may lead to database compromise.

Affected Systems

Cacti – version 1.2.30 and earlier are affected. The problem is fixed in 1.2.31 and later releases. Only instances running the vulnerable Cacti code are at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of severity, and the lack of an EPSS score simply means no current estimate of exploit probability is available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is a network‑accessible HTTP request to graph_view.php with crafted query parameters, requiring no authentication. Successful exploitation would grant the attacker uncontrolled SQL execution on the Cacti database, potentially compromising confidential data.

Generated by OpenCVE AI on June 25, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cacti to version 1.2.31 or later
  • Configure the web server to deny unauthenticated access to graph_view.php, restricting it to authenticated users only
  • Enable database query logging or intrusion detection to monitor suspicious queries and alert administrators of potential exploitation attempts

Generated by OpenCVE AI on June 25, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Wed, 24 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Title Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:24.150Z

Reserved: 2026-04-07T22:40:33.821Z

Link: CVE-2026-39955

cve-icon Vulnrichment

Updated: 2026-06-25T14:36:15.856Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')