CVE-2026-39955

Published Jun 24, 2026

Last updated 4 days ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-39955 describes a pre-authentication SQL Injection vulnerability found in Cacti, an open-source performance and fault management framework. This flaw affects versions 1.2.30 and earlier of the software. The vulnerability specifically resides within the `graph_view.php` component, where an unanchored `FILTER_VALIDATE_REGEXP` function allows attackers to bypass input validation. By exploiting this weakness, remote unauthenticated attackers can inject malicious SQL payloads into the application's database layer through crafted input parameters. This issue has been addressed and fixed in Cacti version 1.2.31.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Source
security-advisories@github.com
NVD status
Analyzed
Products
cacti

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. Cactiで重大(Critical)な脆弱性4件が修正。CVE-2026-39893とCVE-2026-39948は、SQL RLIKE句を適切な無害化無しで組んでいたことによるSQLインジェクション。CVE-2026-39955は正規表現のアンカー欠如によるSQLインジェクション。

    @__kokumoto

    30 Jun 2026

    677 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️⚠️ CVE-2026-39893 (CVSS 9.8) + CVE-2026-39948 (CVSS 9.8) + CVE-2026-39955 (CVSS 9.8) + CVE-2026-39938 (CVSS 9.8): Pre-auth SQLi and LFI in Cacti <=1.2.30 via graph_view.php; guest graph viewing can expose unauthenticated paths. 🔗FOFA Link: https://t.co/jTJEpmfiBV

    @fofabot

    30 Jun 2026

    3397 Impressions

    13 Retweets

    53 Likes

    20 Bookmarks

    0 Replies

    0 Quotes

  3. Cacti vulnerabilities in 1.2.30 include pre-auth SQL injection and LFI, both CVSS 9.8 (CVE-2026-39955, CVE-2026-39938). Update to 1.2.31 now. #Cacti #SQLInjection #LFI #CVE #Cybersecurity #Infosec https://t.co/QJrq3ITZea https://t.co/RyOPac2ICl

    @the_yellow_fall

    30 Jun 2026

    485 Impressions

    1 Retweet

    4 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.CVE-2026-40941
  2. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.CVE-2026-40084
  3. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.CVE-2026-40083
  4. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.CVE-2026-40082
  5. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.CVE-2026-40080

References

Sources include official advisories and independent security research.