CVE Catalog

CVE-2026-39948

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.46%

36th percentile — higher than 36% of all known CVEs

Summary

In Cacti versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() instead of gfrv() with FILTER_VALIDATE_IS_REGEX validation and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php. These files are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database.

Risk Assessment

The risk to the organization includes complete compromise of the Cacti database, potentially leading to leakage of sensitive monitored system data, configuration modification, and disruption of monitoring services.

Recommendation

Immediately update Cacti to version 1.2.31 or later. If updating is not possible, disable guest graph viewing in the Cacti configuration.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS