AI description
CVE-2026-39938 identifies an unauthenticated Local File Inclusion (LFI) vulnerability affecting Cacti, an open-source performance and fault management framework. This flaw is present in versions 1.2.30 and earlier of the software. The vulnerability arises from insufficient input validation within the `graph_theme` and `rrdtool` IPC serialization components. Exploitation of CVE-2026-39938 allows remote attackers to manipulate file inclusion parameters without requiring any authentication credentials. This can enable unauthorized access to arbitrary files on the system, potentially exposing sensitive information such as configuration files, database credentials, and other internal system data. The issue has been resolved in Cacti version 1.2.31.
- Description
- Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- cacti
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-22
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
9
Cactiで重大(Critical)な脆弱性4件が修正。CVE-2026-39893とCVE-2026-39948は、SQL RLIKE句を適切な無害化無しで組んでいたことによるSQLインジェクション。CVE-2026-39955は正規表現のアンカー欠如によるSQLインジェクション。
@__kokumoto
30 Jun 2026
710 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2026-39893 (CVSS 9.8) + CVE-2026-39948 (CVSS 9.8) + CVE-2026-39955 (CVSS 9.8) + CVE-2026-39938 (CVSS 9.8): Pre-auth SQLi and LFI in Cacti <=1.2.30 via graph_view.php; guest graph viewing can expose unauthenticated paths. 🔗FOFA Link: https://t.co/jTJEpmfiBV
@fofabot
30 Jun 2026
3910 Impressions
14 Retweets
55 Likes
20 Bookmarks
0 Replies
0 Quotes
Cacti vulnerabilities in 1.2.30 include pre-auth SQL injection and LFI, both CVSS 9.8 (CVE-2026-39955, CVE-2026-39938). Update to 1.2.31 now. #Cacti #SQLInjection #LFI #CVE #Cybersecurity #Infosec https://t.co/QJrq3ITZea https://t.co/RyOPac2ICl
@the_yellow_fall
30 Jun 2026
494 Impressions
1 Retweet
4 Likes
2 Bookmarks
0 Replies
0 Quotes
Top CVEs w/ public exploits (Jun 20–27): CVE-2026-48908 Joomla SPB RCE (exploited live) CVE-2026-48909 Joomla SP LMS PHP Obj injection CVE-2026-12417 SignUp/In admin takeover CVE-2026-12416 Invoice Generator takeover CVE-2026-39938 Cacti LFI Protect via https://t.co/ZUTqqMjQUp
@exploitgrid
27 Jun 2026
1601 Impressions
4 Retweets
19 Likes
7 Bookmarks
2 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5406B2E1-D53C-45AC-8F93-CFCAEDC1B5F8",
"versionEndExcluding": "1.2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]