Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Cacti theme/graph functions are reached via an authenticated web session (PR:L); traversal is network-reachable and low-complexity, but the forced '/rrdtheme.php' suffix bounds impact, so C:H with limited I and no clear A.
Primary rating from Vendor (vendor:alpine).
CVSS VectorVendor: vendor:alpine
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Alpine Linux: cacti fixed in 1.2.31-0
AnalysisAI
Path traversal in Cacti's RRDtool theme handling (lib/rrd.php) lets an attacker manipulate the 'graph_theme' value to escape the themes directory and force inclusion of an attacker-influenced 'rrdtheme.php' from an arbitrary path, fixed in Cacti 1.2.31 (Alpine package 1.2.31-0). Because the traversed path is appended to base_path and ultimately included by PHP, successful exploitation can lead to local file inclusion and potential code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to invoke Cacti's RRDtool theme/graph-rendering path (rrdtool_function_theme_font_options) with a controlled 'graph_theme' value containing traversal sequences; the resolved path is constrained to end in '/rrdtheme.php', so meaningful code-execution impact additionally requires the attacker to be able to reference an attacker-controlled rrdtheme.php on the filesystem. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8 Critical) treats this as a remote, unauthenticated, fully-impacting flaw - but that is in tension with how Cacti exposes graph/theme functionality, which is normally reached through an authenticated session, so PR:N is likely optimistic; verify against the GHSA advisory (GHSA-rm7p-qcqm-x5m6). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to Cacti's graph-rendering functionality submits a request where the graph_theme value contains directory-traversal sequences (e.g. '../../../something'), causing Cacti to build a path outside include/themes/ and include a rrdtheme.php from a location the attacker influences. … |
| Remediation | Upgrade to Cacti 1.2.31 or later (Alpine: cacti 1.2.31-0), which adds basename() sanitization of the graph_theme value; this is the primary and recommended fix per the vendor advisory GHSA-rm7p-qcqm-x5m6 (https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6) and commit 9871f0cef9af285398d558c9b3188d5977e01a04 (https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Cacti deployments and identify instances running versions prior to 1.2.31. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management fram
Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. Rated high se
Cacti is an open source operational monitoring and fault management framework. Rated critical severity (CVSS 9.8), this
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary S
SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote
SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQ
SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitra
Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw i
Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today