Threat Advisory

Cacti Vulnerability Exposes Reflected XSS

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Cacti, a performance and fault management framework, affecting versions 1.2.30 and prior. The vulnerabilities are of the Reflected XSS and Path Traversal types, which can lead to arbitrary JavaScript execution and unauthorized access to sensitive files, respectively. This poses a significant business risk, as it can result in data breaches, system compromise, and disruption of critical services.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Cacti, a performance and fault management framework, affecting versions 1.2.30 and prior. The vulnerabilities are of the Reflected XSS and Path Traversal types, which can lead to arbitrary JavaScript execution and unauthorized access to sensitive files, respectively. This poses a significant business risk, as it can result in data breaches, system compromise, and disruption of critical services.[emaillocker id="1283"]

• CVE-2026-39900 with a CVSS score of 5.3 – This vulnerability is a Reflected XSS flaw that allows an attacker to inject malicious JavaScript code into the auth_profile.php page, potentially stealing user data or taking control of the user's session. An attacker can exploit this vulnerability by crafting a malicious URL that includes a crafted "tab" parameter.

• CVE-2026-39899 with a CVSS score of 6.9 – This vulnerability is a Path Traversal flaw that enables an attacker to access arbitrary files on the server by manipulating the filename parameter in package_import.php, potentially exposing sensitive configuration data or executing malicious code.

The overall risk and urgency of these vulnerabilities are moderate to high, as they can be exploited by attackers to gain unauthorized access to sensitive data and disrupt critical services. If exploited, these vulnerabilities can have severe business consequences, including data breaches, system compromise, and reputational damage, emphasizing the need for prompt attention and action to mitigate these risks.

RECOMMENDATION:

We recommend you to update Cacti to version 1.2.31.

REFERENCES:

The following reports contain further technical details:
https://app.opencve.io/cve/CVE-2026-39900
https://app.opencve.io/cve/CVE-2026-39899

[/emaillocker]
crossmenu