Skip to main content

Cacti CVE-2026-40079

HIGH
OS Command Injection (CWE-78)
N/A vendor:alpine
8.6
CVSS 4.0 · Vendor: vendor:alpine
Share

Severity by source

Vendor (vendor:alpine) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable admin form with low complexity but requires administrative privilege to edit Data Input Methods (PR:H); resulting OS command execution yields full C/I/A within the host service context, scope unchanged.

3.1 AV:N/AC:L/PR:H/UI:N/S:N/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vendor:alpine).

CVSS VectorVendor: vendor:alpine

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 25, 2026 - 00:31 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 25, 2026 - 00:30 vuln.today
Analysis Updated
Jun 25, 2026 - 00:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 00:22 NVD
8.6 (HIGH)
Analysis Generated
Jun 18, 2026 - 11:00 vuln.today

DescriptionCVE.org

Alpine Linux: cacti fixed in 1.2.31-0

AnalysisAI

OS command injection in Cacti network monitoring (fixed in 1.2.31) lets an authenticated administrative user inject shell metacharacters into a Data Input Method's input string, which Cacti passes to the shell when running data-collection scripts, yielding code execution on the poller host. The 1.2.31 hardening (advisory GHSA-xq98-376r-hv9j) also closes CSV/formula injection in host and automation exports, a content-file path traversal in index.php, and unsafe rrdtool argument handling. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Inventory all Cacti deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cacti

View all
CVE-2025-24367 HIGH POC
8.7 Jan 27

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th

CVE-2022-46169 CRITICAL POC
9.8 Dec 05

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management fram

CVE-2023-49085 HIGH POC
8.8 Dec 22

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-49084 HIGH POC
8.8 Dec 21

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).

CVE-2020-14295 HIGH POC
7.2 Jun 17

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. Rated high se

CVE-2023-39361 CRITICAL POC
9.8 Sep 05

Cacti is an open source operational monitoring and fault management framework. Rated critical severity (CVSS 9.8), this

CVE-2017-1000031 HIGH POC
8.8 Jul 17

SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary S

CVE-2015-8604 HIGH POC
8.8 Apr 11

SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote

CVE-2016-3659 HIGH POC
8.8 Apr 11

SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQ

CVE-2016-3172 HIGH POC
8.8 Apr 12

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitra

CVE-2025-66399 HIGH POC
8.8 Dec 02

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw i

CVE-2023-51448 HIGH POC
8.8 Dec 22

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerabil

Share

CVE-2026-40079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy