Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.
Published: 2026-06-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in managers.php stems from passing a user-supplied string to PHP’s unserialize() without sanitization, then directly appending the resulting array elements into an SQL DELETE statement. The lack of numeric validation on the array values allows an attacker to inject arbitrary SQL code into the DELETE query. Consequently, a malicious user could delete, alter, or otherwise manipulate SNMP manager records stored in the database, compromising data integrity and potentially exposing sensitive configuration information.

Affected Systems

Cacti, the open management framework, is affected in all releases of version 1.2.30 and earlier. The vulnerability exists in the web interface’s SNMP agent management section, specifically the managers.php page that processes the "selected_graphs_array" parameter. Users running these older releases host the insecure code in their environments.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a moderate to high impact. No EPSS data is published, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the web interface with permissions to manage SNMP agents; once authenticated, an attacker can trigger the injection by submitting a crafted request to managers.php. Because the flaw allows direct manipulation of the database, the risk to confidentiality and integrity is significant until the fix is installed.

Generated by OpenCVE AI on June 26, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Cacti update to version 1.2.31 or newer, which removes the unsafe unserialize and SQL concatenation logic.
  • Limit access to SNMP agent management endpoints, ensuring only trusted administrators can reach managers.php and perform delete operations.
  • Implement input validation or parameterized queries so that any array values used in database statements are first verified to be numeric identifiers before inclusion.

Generated by OpenCVE AI on June 26, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Thu, 25 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.
Title Cacti: SQL Injection in managers.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cacti Cacti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T22:39:17.541Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40083

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:30:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')