Cacti Vulnerabilities Enable Pre-Authentication SQL Injection

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Cacti product, specifically in versions 1.2.30 and earlier, which are susceptible to pre-authentication SQL injection and unauthenticated local file inclusion vulnerabilities, posing a significant business risk and impact due to potential data exposure and alteration.[emaillocker id="1283"]

• CVE-2026-39893 with a CVSS score of 9.8 – This vulnerability is a pre-authentication SQL injection flaw that can be exploited through the rfilter parameter in RLIKE clauses, allowing attackers to inject arbitrary SQL and potentially expose or alter stored data.
• CVE-2026-39948 with a CVSS score of 9.3 – Similar to CVE-2026-39893, this vulnerability follows the same pattern of pre-authentication SQL injection through crafted rfilter values.
• CVE-2026-39955 with a CVSS score of 9.5 – This vulnerability abuses an unanchored regex filter to bypass validation, leading to potential SQL injection.
• CVE-2026-39938 with a CVSS score of 9.3 – This bug allows attackers to read local files through the graph_theme path, potentially leaking server secrets.

The identified vulnerabilities pose a significant risk to businesses, particularly due to the potential for pre-authentication database access, which can lead to data exposure or alteration, and the ability to read local files, which can leak server secrets, emphasizing the need for immediate attention to prevent potential exploitation and associated business consequences.

RECOMMENDATION:

• We recommend you to update Cacti to version 1.2.31.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/cacti-vulnerabilities-1-2-31/