Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Cacti
Cacti cacti
Vendors & Products Cacti
Cacti cacti

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
Title Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T21:45:34.948Z

Updated: 2026-06-26T03:55:27.505Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39893

cve-icon Vulnrichment

Updated: 2026-06-25T13:56:42.295Z

cve-icon NVD

No data.

cve-icon Redhat

No data.