CVE-2026-40084 - Vulnerability Details

- Cacti: Arbitrary File Read via Path Traversal in Report `format_file` Parameter

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.

Published: 2026-06-25

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to read arbitrary files from the server’s filesystem. The flaw is a classic Path Traversal (CWE‑22) that occurs in two stages: first, the submitted format_file parameter is stored in the database without validation; second, the stored value is concatenated with a directory path and passed to a file reading function, enabling disclosure of any file accessible to the web process. Such access can expose confidential data and serve as a foothold for further attacks.

Affected Systems

The flaw affects the Cacti performance and fault management framework. Versions 1.2.30 and earlier are vulnerable, with the issue remediated in 1.2.31. Any deployment running these versions, particularly in environments where users can create or modify report definitions, is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and no EPSS score is available. The attack requires crafting a payload and submitting it through the report interface, which means the attacker likely needs at least report‑authoring privileges. Once the first stage succeeds, the second stage permits reading any file visible to the web server process. The vulnerability is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cacti

cacti

affected

Version	Status	Constraints
`< 1.2.31`	affected	—

No data.

Vendor Product Confidence Versions

Cacti

100%

Version	Status	Scheme	Platform
`[0,1.2.31)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Cacti patch (upgrade to version 1.2.31 or later).
Restrict the ability to create or edit reports to privileged users only, and consider removing or disabling the format_file field in the report interface.
Implement input validation or sanitization for the format_file parameter by enforcing a whitelist of allowed filenames or disallowing traversal sequences before storing or using the value.

Generated by OpenCVE AI on June 26, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00307.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Cacti/cacti/commit/4c09efaebf3a9faec66969d0b5c4aceaf397f37f
https://github.com/Cacti/cacti/security/advisories/GHSA-mjvw-mhj5-9jcj

History

Fri, 26 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cacti Cacti cacti
Vendors & Products		Cacti Cacti cacti

Thu, 25 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.
Title		Cacti: Arbitrary File Read via Path Traversal in Report `format_file` Parameter
Weaknesses		CWE-22
References		https://github.com/Cacti/cacti/commit/4c09efaebf3a9faec66969d0b5c4aceaf397f37f https://github.com/Cacti/cacti/security/advisories/GHSA-mjvw-mhj5-9jcj
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Cacti Cacti

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T22:43:47.441Z

Updated: 2026-06-26T12:44:37.984Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40084

Vulnrichment

Updated: 2026-06-26T12:44:15.604Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T03:30:06Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object