CVE-2026-40084
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Cacti versions 1.2.30 and prior are vulnerable to Path Traversal via the Report format_file parameter, allowing arbitrary file read. The vulnerability involves two stages: stored injection without validation and subsequent file read using an unsanitized path.
Risk Assessment
An attacker can read sensitive system files, such as configurations, passwords, or application data, leading to information disclosure and potential attack escalation.
Recommendation
Immediately upgrade Cacti to version 1.2.31 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.

