Source: cacti Version: 1.2.30+ds1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for cacti. CVE-2026-39893[0]: | Cacti is an open source performance and fault management framework. | In versions 1.2.30 and prior, the rfilter request variable was | concatenated into a RLIKE SQL clause without sanitization. The | endpoint does not require authentication (graph viewing supports | guest access via the configured guest user), so the SQLi was | reachable pre-auth on installs with guest viewing enabled. This | issue was fixed in version 1.2.31. CVE-2026-39894[1]: | Cacti is an open source performance and fault management framework. | In versions 1.2.30 and below, the locale-dependent decimal | formatting in rrdtool_function_update() can corrupt RRDtool metric | values. The rrdtool_function_update() function checks metric values | with is_numeric() and concatenates them into the RRDtool update | command via PHP string interpolation. PHP's string cast of floats is | locale-sensitive: if LC_NUMERIC uses comma as decimal separator | (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as | decimal separator, causing metric data to shift into wrong columns | or be silently dropped. No setlocale() reset is present in the | update path. This causes a data integrity issue, but is not remotely | exploitable; it requires server locale misconfiguration. The issue | has been fixed in version 1.2.31. CVE-2026-39897[2]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and below contain a Reflected XSS vulnerability in | the html_auth_footer. This issue has been fixed in version 1.2.31. CVE-2026-39899[3]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior are vulnerable to Path Traversal via | filename parameter in package_import.php. This issue has been fixed | in version 1.2.31. CVE-2026-39900[4]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab | parameter in the auth_profile.php JavaScript context. This issue has | been fixed in version 1.2.31. CVE-2026-39938[5]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have unauthenticated LFI through | graph_theme and rrdtool IPC serialization hardening. This issue has | been resolved in version 1.2.31. CVE-2026-39948[6]: | Cacti is an open source performance and fault management framework. | In versions 1.2.30 and prior, the rfilter request parameter is | retrieved via the raw accessor grv() (rather than gfrv() with | FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into | RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which | are reachable pre-authentication through graph_view.php on | installations with guest graph viewing enabled. Because the | unbalanced-quote payload bypasses the regex validation that would | otherwise reject it, an unauthenticated attacker can inject | arbitrary SQL to compromise the confidentiality, integrity, and | availability of the database. This advisory is similar to GHSA-69gg- | mjfm-jjpc. This issue has been fixed in version 1.2.31. CVE-2026-39951[7]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have a Stored SQL Injection vulnerability | through graph_name_regexp in the Reports feature. This issue has | been fixed in version 1.2.31. CVE-2026-39955[8]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have pre-authentication SQL Injection via | unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has | been fixed in version 1.2.31. CVE-2026-40079[9]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior are vulnerable to Command Injection due to | lack of sanitization in the escape_command() function. The | escape_command() function at lib/rrd.php is a no-op: it returns | $command unchanged. The command line built by | rrdtool_function_graph() is passed through this function and then to | shell_exec($full_commandline). The risk is in __rrd_execute() where | text_format values from graph templates (which may contain host | variable substitutions) reach shell_exec without adequate escaping. | This issue has been addressed in version 1.2.31. CVE-2026-40080[10]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior are vulnerable to Open Redirect through a | substring check rather than a host check at str_contains($referer, | CACTI_PATH_URL). When the user's login_opts == '1' (redirect to | referer after login), the function used $_SERVER['HTTP_REFERER'] | directly. An attacker could craft a referer such as | https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the | substring matches and the user is redirected to evil.com after | login. The pre-existing validate_redirect_url() helper at | lib/html_utility.php performed proper validation but was not invoked | from auth_login_redirect(). This issue has been fixed in version | 1.2.31. CVE-2026-40082[11]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have missing session_regenerate_id() after | login, leading to Session Fixation. session_regenerate_id() is NOT | called after successful login. The login flow at | auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without | rotating the session ID. The session cookie configuration is | otherwise good (httponly=true, samesite=Strict, secure=true for | HTTPS at include/global.php:513-537), but these do not prevent | session fixation via same-site vectors. This issue has been fixed in | version 1.2.31. CVE-2026-40083[12]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have SQL Injection through unsanitized | unserialize+implode in managers.php. At line 756 of managers.php, | the application assigns $selected_items by calling | cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The | cacti_unserialize() function calls unserialize() with | allowed_classes set to false, which prevents object injection but | still allows arbitrary string arrays to be deserialized. Then, at | lines 760 to 766, the deserialized array values are passed directly | into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . | implode(',', $selected_items) . ')'), where they are imploded into | the SQL statement without any integer validation, resulting in SQL | Injection when using SNMP agent management permissions. This issue | has been fixed in version 1.2.31. CVE-2026-40084[13]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior are vulnerable to Path Traversal through | the Report format_file Parameter, causing arbitrary file read. This | vulnerability occurs in two stages. In the first stage (stored | injection), lib/html_reports.php at line 283 stores | $save['format_file'] = $post['format_file'] directly into the | database without any validation. In the second stage (file read), | lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . | $format_file, and line 670 then calls file($format_file), reading | arbitrary files from the filesystem. This issue has been fixed in | version 1.2.31. CVE-2026-40941[14]: | Cacti is an open source performance and fault management framework. | Versions 1.2.30 and prior have a package import signature validation | bypass allows which allows self-signed packages. This issue has been | fixed in version 1.2.31. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-39893 https://www.cve.org/CVERecord?id=CVE-2026-39893 [1] https://security-tracker.debian.org/tracker/CVE-2026-39894 https://www.cve.org/CVERecord?id=CVE-2026-39894 [2] https://security-tracker.debian.org/tracker/CVE-2026-39897 https://www.cve.org/CVERecord?id=CVE-2026-39897 [3] https://security-tracker.debian.org/tracker/CVE-2026-39899 https://www.cve.org/CVERecord?id=CVE-2026-39899 [4] https://security-tracker.debian.org/tracker/CVE-2026-39900 https://www.cve.org/CVERecord?id=CVE-2026-39900 [5] https://security-tracker.debian.org/tracker/CVE-2026-39938 https://www.cve.org/CVERecord?id=CVE-2026-39938 [6] https://security-tracker.debian.org/tracker/CVE-2026-39948 https://www.cve.org/CVERecord?id=CVE-2026-39948 [7] https://security-tracker.debian.org/tracker/CVE-2026-39951 https://www.cve.org/CVERecord?id=CVE-2026-39951 [8] https://security-tracker.debian.org/tracker/CVE-2026-39955 https://www.cve.org/CVERecord?id=CVE-2026-39955 [9] https://security-tracker.debian.org/tracker/CVE-2026-40079 https://www.cve.org/CVERecord?id=CVE-2026-40079 [10] https://security-tracker.debian.org/tracker/CVE-2026-40080 https://www.cve.org/CVERecord?id=CVE-2026-40080 [11] https://security-tracker.debian.org/tracker/CVE-2026-40082 https://www.cve.org/CVERecord?id=CVE-2026-40082 [12] https://security-tracker.debian.org/tracker/CVE-2026-40083 https://www.cve.org/CVERecord?id=CVE-2026-40083 [13] https://security-tracker.debian.org/tracker/CVE-2026-40084 https://www.cve.org/CVERecord?id=CVE-2026-40084 [14] https://security-tracker.debian.org/tracker/CVE-2026-40941 https://www.cve.org/CVERecord?id=CVE-2026-40941 Regards, Salvatore

