CVE Catalog

CVE-2026-39893

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

In Cacti versions 1.2.30 and prior, the rfilter request variable was concatenated into an RLIKE SQL clause without sanitization. The vulnerability allows pre-auth SQL Injection (SQLi) if guest graph viewing is enabled. The issue was fixed in version 1.2.31.

Risk Assessment

An unauthenticated attacker can execute arbitrary SQL queries, potentially leading to data leakage, database modification, or privilege escalation.

Recommendation

Immediately upgrade Cacti to version 1.2.31 or later. If upgrading is not possible, consider disabling guest graph access.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS