CVE-2026-39893

Published Jun 24, 2026

Last updated 5 days ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-39893 is a pre-authentication SQL injection vulnerability found in Cacti, an open-source performance and fault management framework. This flaw affects versions 1.2.30 and earlier. The vulnerability stems from insufficient sanitization of the `rfilter` request variable, which is directly concatenated into a `RLIKE` SQL clause within the `graph_view.php` component. When guest viewing is enabled on a Cacti installation, this vulnerability allows unauthenticated attackers to inject malicious SQL payloads. The issue was addressed and fixed in Cacti version 1.2.31.

Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
Source
security-advisories@github.com
NVD status
Analyzed
Products
cacti

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

14

  1. Cactiで重大(Critical)な脆弱性4件が修正。CVE-2026-39893とCVE-2026-39948は、SQL RLIKE句を適切な無害化無しで組んでいたことによるSQLインジェクション。CVE-2026-39955は正規表現のアンカー欠如によるSQLインジェクション。

    @__kokumoto

    30 Jun 2026

    824 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️⚠️ CVE-2026-39893 (CVSS 9.8) + CVE-2026-39948 (CVSS 9.8) + CVE-2026-39955 (CVSS 9.8) + CVE-2026-39938 (CVSS 9.8): Pre-auth SQLi and LFI in Cacti <=1.2.30 via graph_view.php; guest graph viewing can expose unauthenticated paths. 🔗FOFA Link: https://t.co/jTJEpmfiBV

    @fofabot

    30 Jun 2026

    9057 Impressions

    20 Retweets

    75 Likes

    36 Bookmarks

    2 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.CVE-2026-40941
  2. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.CVE-2026-40084
  3. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.CVE-2026-40083
  4. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.CVE-2026-40082
  5. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.CVE-2026-40080

References

Sources include official advisories and independent security research.