CVE Catalog

CVE-2026-40080

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

Cacti versions 1.2.30 and prior are vulnerable to Open Redirect due to using str_contains() for referer checking instead of full host validation. An attacker can craft a malicious Referer header to redirect the user to an attacker-controlled site after login.

Risk Assessment

The risk involves potential phishing or social engineering attacks where users are redirected to malicious sites after login, which could lead to credential theft or exposure of sensitive information.

Recommendation

Upgrade Cacti to version 1.2.31 or later immediately, which fixes the issue by properly invoking validate_redirect_url() from lib/html_utility.php for redirect validation.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS