AI description
CVE-2026-39948 is a SQL injection vulnerability found in Cacti, an open-source framework for performance and fault management. This flaw affects versions 1.2.30 and earlier. The vulnerability arises because the `rfilter` request parameter is not properly validated and is directly concatenated into SQL clauses within `lib/html_graph.php` and `lib/html_tree.php`. This improper handling allows an unauthenticated attacker to bypass regex validation with an unbalanced-quote payload, enabling the injection of arbitrary SQL commands. The vulnerability is reachable pre-authentication through `graph_view.php` on installations where guest graph viewing is enabled, potentially compromising the confidentiality, integrity, and availability of the database. The issue has been resolved in Cacti version 1.2.31.
- Description
- Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- cacti
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-89
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
12
Cactiで重大(Critical)な脆弱性4件が修正。CVE-2026-39893とCVE-2026-39948は、SQL RLIKE句を適切な無害化無しで組んでいたことによるSQLインジェクション。CVE-2026-39955は正規表現のアンカー欠如によるSQLインジェクション。
@__kokumoto
30 Jun 2026
805 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2026-39893 (CVSS 9.8) + CVE-2026-39948 (CVSS 9.8) + CVE-2026-39955 (CVSS 9.8) + CVE-2026-39938 (CVSS 9.8): Pre-auth SQLi and LFI in Cacti <=1.2.30 via graph_view.php; guest graph viewing can expose unauthenticated paths. 🔗FOFA Link: https://t.co/jTJEpmfiBV
@fofabot
30 Jun 2026
6802 Impressions
19 Retweets
70 Likes
32 Bookmarks
2 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5406B2E1-D53C-45AC-8F93-CFCAEDC1B5F8",
"versionEndExcluding": "1.2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]