CVE-2026-39948 | Cacti is an open source performance and fault management fra… | CVSS 9.3 CRITICAL

Description

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

Metadata

CVE ID: CVE-2026-39948
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-07 22:40 UTC
Published: 2026-06-24 23:06 UTC
Last updated: 2026-06-24 23:06 UTC
Primary CWE: CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product: Cacti / cacti
Sources: cve.org · NVD

Severity & Metrics

9.3 CRITICAL CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
Cacti	cacti	—	< 1.2.31

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

https://github.com/Cacti/cacti/security/advisories/GHSA-9jqv-4cpm-vm2c https://github.com/Cacti/cacti/security/advisories/GHSA-9jqv-4cpm-vm2c
https://github.com/Cacti/cacti/commit/136ae6ef0715e77bca69c0eb60781f5e17df0795 https://github.com/Cacti/cacti/commit/136ae6ef0715e77bca69c0eb60781f5e17df0795