CVE-2026-39938
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
Risk Assessment
An unauthenticated attacker can read arbitrary files on the server, potentially leading to disclosure of sensitive data such as configurations, passwords, or private keys.
Recommendation
Immediately upgrade Cacti to version 1.2.31 or later. If upgrading is not possible, restrict access to the Cacti interface to trusted networks only.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.

