Skip to main content

Cacti CVE-2026-39938

CRITICAL
Path Traversal (CWE-22)
N/A vendor:alpine
9.8
CVSS 3.1 · Vendor: vendor:alpine
Share

Severity by source

Vendor (vendor:alpine) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Cacti theme/graph functions are reached via an authenticated web session (PR:L); traversal is network-reachable and low-complexity, but the forced '/rrdtheme.php' suffix bounds impact, so C:H with limited I and no clear A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vendor:alpine).

CVSS VectorVendor: vendor:alpine

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 24, 2026 - 23:31 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 24, 2026 - 23:31 vuln.today
Analysis Updated
Jun 24, 2026 - 23:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 24, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jun 24, 2026 - 23:22 NVD
9.8 (CRITICAL)
Analysis Generated
Jun 18, 2026 - 11:01 vuln.today

DescriptionCVE.org

Alpine Linux: cacti fixed in 1.2.31-0

AnalysisAI

Path traversal in Cacti's RRDtool theme handling (lib/rrd.php) lets an attacker manipulate the 'graph_theme' value to escape the themes directory and force inclusion of an attacker-influenced 'rrdtheme.php' from an arbitrary path, fixed in Cacti 1.2.31 (Alpine package 1.2.31-0). Because the traversed path is appended to base_path and ultimately included by PHP, successful exploitation can lead to local file inclusion and potential code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Cacti web UI
Delivery
Submit graph request with malicious graph_theme
Exploit
Path escapes include/themes directory
Execution
Cacti includes attacker-influenced rrdtheme.php
Impact
Local file inclusion / code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to invoke Cacti's RRDtool theme/graph-rendering path (rrdtool_function_theme_font_options) with a controlled 'graph_theme' value containing traversal sequences; the resolved path is constrained to end in '/rrdtheme.php', so meaningful code-execution impact additionally requires the attacker to be able to reference an attacker-controlled rrdtheme.php on the filesystem. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8 Critical) treats this as a remote, unauthenticated, fully-impacting flaw - but that is in tension with how Cacti exposes graph/theme functionality, which is normally reached through an authenticated session, so PR:N is likely optimistic; verify against the GHSA advisory (GHSA-rm7p-qcqm-x5m6). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to Cacti's graph-rendering functionality submits a request where the graph_theme value contains directory-traversal sequences (e.g. '../../../something'), causing Cacti to build a path outside include/themes/ and include a rrdtheme.php from a location the attacker influences. …
Remediation Upgrade to Cacti 1.2.31 or later (Alpine: cacti 1.2.31-0), which adds basename() sanitization of the graph_theme value; this is the primary and recommended fix per the vendor advisory GHSA-rm7p-qcqm-x5m6 (https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6) and commit 9871f0cef9af285398d558c9b3188d5977e01a04 (https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Cacti deployments and identify instances running versions prior to 1.2.31. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cacti

View all
CVE-2025-24367 HIGH POC
8.7 Jan 27

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th

CVE-2022-46169 CRITICAL POC
9.8 Dec 05

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management fram

CVE-2023-49085 HIGH POC
8.8 Dec 22

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-49084 HIGH POC
8.8 Dec 21

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).

CVE-2020-14295 HIGH POC
7.2 Jun 17

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. Rated high se

CVE-2023-39361 CRITICAL POC
9.8 Sep 05

Cacti is an open source operational monitoring and fault management framework. Rated critical severity (CVSS 9.8), this

CVE-2017-1000031 HIGH POC
8.8 Jul 17

SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary S

CVE-2015-8604 HIGH POC
8.8 Apr 11

SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote

CVE-2016-3659 HIGH POC
8.8 Apr 11

SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQ

CVE-2016-3172 HIGH POC
8.8 Apr 12

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitra

CVE-2025-66399 HIGH POC
8.8 Dec 02

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw i

CVE-2023-51448 HIGH POC
8.8 Dec 22

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil

Share

CVE-2026-39938 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy