CVE-2026-40941 | Cacti is an open source performance and fault management fra… | CVSS 7.1 HIGH

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.

Metadata

CVE ID: CVE-2026-40941
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-15 20:40 UTC
Published: 2026-06-25 23:01 UTC
Last updated: 2026-06-25 23:01 UTC
Primary CWE: CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product: Cacti / cacti
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
Cacti	cacti	—	< 1.2.31

Weakness (CWE)

CWE	Source	Description
CWE-347	cna	CWE-347: Improper Verification of Cryptographic Signature

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (3)

https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v
https://github.com/Cacti/cacti/pull/7054 https://github.com/Cacti/cacti/pull/7054
https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31 https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31