Skip to main content

Cacti

107 CVEs product

Monthly

CVE-2025-66399 HIGH POC PATCH This Week

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Command Injection Ubuntu Debian Cacti Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-26520 HIGH PATCH This Week

Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti Suse
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-24368 MEDIUM POC PATCH This Week

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP SQLi Cacti Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-24367 HIGH POC PATCH THREAT Act Now

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through the graph creation and template functionality. Attackers abuse the graphing engine to create arbitrary PHP scripts in the web root, escalating from monitoring access to full server control.

RCE PHP Cacti Suse
NVD GitHub
CVSS 4.0
8.7
EPSS
90.5%
Threat
6.0
CVE-2025-22604 CRITICAL POC PATCH THREAT Act Now

Cacti versions prior to 1.2.29 contain an authenticated command injection through the SNMP result parser. By injecting malformed OIDs into SNMP responses, authenticated users can execute arbitrary system commands when the results are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions.

Command Injection Cacti Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
72.2%
CVE-2024-54146 HIGH POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Cacti Suse
NVD GitHub
CVSS 3.1
7.6
EPSS
9.8%
CVE-2024-54145 MEDIUM POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Cacti Suse
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-45598 MEDIUM POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Cacti Suse
NVD GitHub
CVSS 3.1
6.0
EPSS
0.1%
CVE-2023-51448 HIGH POC This Week

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD GitHub
CVSS 3.1
8.8
EPSS
9.0%
CVE-2023-50250 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2023-49088 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti
NVD GitHub
CVSS 3.1
4.8
EPSS
1.3%
CVE-2023-49085 HIGH POC THREAT Act Now

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Cacti
NVD GitHub
CVSS 3.1
8.8
EPSS
84.6%
CVE-2023-49086 MEDIUM POC PATCH This Month

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XSS Cacti
NVD GitHub
CVSS 3.1
5.4
EPSS
1.5%
CVE-2023-49084 HIGH POC THREAT Act Now

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE LFI PHP SQLi Cacti
NVD GitHub
CVSS 3.1
8.8
EPSS
63.8%
CVE-2023-46490 MEDIUM POC This Month

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2023-39511 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2023-39516 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2023-39365 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cacti Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
0.9%
CVE-2023-39364 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Open Redirect Cacti Fedora
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-39362 HIGH POC THREAT This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Command Injection Cacti Fedora
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
82.2%
CVE-2023-39358 HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE PHP SQLi Cacti +1
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2023-39357 HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE SQLi Cacti Fedora
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-31132 HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft PHP Authentication Bypass Cacti
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2023-30534 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Cacti Fedora
NVD GitHub
CVSS 3.1
4.3
EPSS
2.6%
CVE-2023-39515 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2023-39514 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2023-39513 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-39512 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2023-39510 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2023-39366 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
4.8
EPSS
0.8%
CVE-2023-39361 CRITICAL POC THREAT Act Now

Cacti is an open source operational monitoring and fault management framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi Cacti Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
87.7%
CVE-2023-39360 MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2023-39359 HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE PHP SQLi Cacti +1
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2023-37543 HIGH This Week

Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Authentication Bypass Cacti
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-46169 CRITICAL POC KEV PATCH THREAT Act Now

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Command Injection Cacti
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
99.8%
CVE-2022-0730 CRITICAL Act Now

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cacti Debian Linux Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
3.4%
CVE-2020-25706 MEDIUM POC PATCH This Month

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Cacti Debian Linux
NVD GitHub
CVSS 3.1
6.1
EPSS
2.8%
CVE-2020-14295 HIGH POC THREAT Act Now

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Cacti Fedora
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
86.3%
CVE-2020-13231 MEDIUM POC This Month

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Cacti Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-13230 MEDIUM POC This Month

In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cacti Debian Linux Fedora
NVD GitHub
CVSS 3.1
4.3
EPSS
1.0%
CVE-2020-8813 HIGH POC THREAT This Week

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Cacti Fedora Open Audit +2
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
73.8%
CVE-2020-7237 HIGH POC THREAT This Week

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection PHP Cacti
NVD GitHub
CVSS 3.1
8.8
EPSS
36.8%
CVE-2020-7106 MEDIUM POC This Month

Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti Debian Linux Backports Sle +4
NVD GitHub
CVSS 3.1
6.1
EPSS
2.1%
CVE-2020-7058 HIGH POC This Week

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Cacti
NVD GitHub
CVSS 3.1
8.8
EPSS
2.3%
CVE-2019-17358 HIGH POC This Week

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Buffer Overflow Deserialization Cacti Debian Linux +1
NVD GitHub
CVSS 3.1
8.1
EPSS
3.0%
CVE-2019-16723 MEDIUM PATCH This Month

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Cacti
NVD GitHub
CVSS 3.1
4.3
EPSS
1.5%
CVE-2019-11025 MEDIUM POC This Month

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti Debian Linux
NVD GitHub
CVSS 3.1
5.4
EPSS
1.3%
CVE-2018-10061 MEDIUM POC This Month

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti Debian Linux
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2018-10060 MEDIUM POC This Month

Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti Debian Linux
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2018-10059 MEDIUM POC This Month

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
1.2%
CVE-2016-10700 HIGH PATCH This Week

auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP Privilege Escalation Cacti
NVD GitHub
CVSS 3.0
8.8
EPSS
0.6%
CVE-2014-4000 HIGH This Week

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Deserialization PHP Cacti
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2017-16785 MEDIUM POC This Month

Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-16661 MEDIUM POC This Month

Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Cacti
NVD GitHub
CVSS 3.0
4.9
EPSS
0.1%
CVE-2017-16660 HIGH POC This Week

Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Information Disclosure Cacti
NVD GitHub
CVSS 3.0
7.2
EPSS
2.6%
CVE-2017-16641 HIGH POC This Week

lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Cacti
NVD GitHub
CVSS 3.0
7.2
EPSS
1.3%
CVE-2017-15194 MEDIUM POC PATCH This Month

include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-12978 MEDIUM PATCH This Month

lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-12927 MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
6.1
EPSS
0.4%
CVE-2017-12066 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-12065 CRITICAL PATCH Act Now

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE PHP Cacti
NVD GitHub
CVSS 3.0
9.8
EPSS
3.1%
CVE-2017-11691 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
0.5%
CVE-2017-1000032 MEDIUM This Month

Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Cacti
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-1000031 HIGH POC This Week

SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Cacti
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2017-11163 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-10970 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Cacti
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2016-2313 HIGH This Week

auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Privilege Escalation Cacti Leap Opensuse
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2016-3172 HIGH POC This Week

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2015-8604 HIGH POC This Week

SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2016-3659 HIGH POC This Week

SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 3.0
8.8
EPSS
0.6%
CVE-2015-8369 HIGH POC This Week

SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 2.0
7.5
EPSS
0.5%
CVE-2015-8377 MEDIUM POC This Month

SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 2.0
6.5
EPSS
0.3%
CVE-2015-4634 HIGH POC This Week

SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
CVSS 2.0
7.5
EPSS
0.4%
CVE-2015-2967 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Cacti
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-4454 HIGH PATCH This Week

SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti Fedora
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2015-4342 HIGH PATCH This Week

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Cacti Fedora
NVD
CVSS 2.0
7.5
EPSS
3.8%
CVE-2015-2665 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Cacti Fedora
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2015-0916 MEDIUM PATCH This Month

SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD
CVSS 2.0
6.5
EPSS
0.4%
CVE-2014-5026 LOW POC Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Debian Linux Cacti Opensuse
NVD
CVSS 2.0
3.5
EPSS
0.3%
CVE-2014-5025 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Debian Linux Opensuse Cacti
NVD
CVSS 2.0
3.5
EPSS
0.5%
CVE-2014-5262 HIGH PATCH This Week

SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD
CVSS 2.0
7.5
EPSS
0.8%
CVE-2014-5261 HIGH PATCH This Week

The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE PHP Code Injection Cacti
NVD
CVSS 2.0
7.5
EPSS
1.3%
CVE-2014-4002 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS PHP Opensuse Cacti
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2014-2709 HIGH PATCH This Week

lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Cacti Debian Linux
NVD VulDB
CVSS 2.0
7.5
EPSS
1.9%
CVE-2014-2328 MEDIUM PATCH This Month

lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Cacti Fedora Opensuse +1
NVD VulDB
CVSS 2.0
6.5
EPSS
1.1%
CVE-2014-2327 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Cacti Debian Linux Opensuse
NVD VulDB
CVSS 2.0
6.8
EPSS
0.4%
CVE-2014-2708 HIGH PATCH This Week

Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD VulDB
CVSS 2.0
7.5
EPSS
1.5%
CVE-2014-2326 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Fedora Opensuse Cacti +1
NVD VulDB
CVSS 2.0
4.3
EPSS
1.3%
CVE-2013-5589 HIGH PATCH This Week

SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Debian Linux Cacti Opensuse
NVD
CVSS 2.0
7.5
EPSS
0.4%
CVE-2013-5588 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Cacti Opensuse
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.

Command Injection Ubuntu Debian +2
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Week

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP SQLi Cacti +1
NVD GitHub
EPSS 90% 6.0 CVSS 8.7
HIGH POC PATCH THREAT Act Now

Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through the graph creation and template functionality. Attackers abuse the graphing engine to create arbitrary PHP scripts in the web root, escalating from monitoring access to full server control.

RCE PHP Cacti +1
NVD GitHub
EPSS 72% CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Cacti versions prior to 1.2.29 contain an authenticated command injection through the SNMP result parser. By injecting malformed OIDs into SNMP responses, authenticated users can execute arbitrary system commands when the results are processed by the ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes() functions.

Command Injection Cacti Suse
NVD GitHub
EPSS 10% CVSS 7.6
HIGH POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Cacti +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Cacti +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Cacti is an open source performance and fault management framework. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Cacti Suse
NVD GitHub
EPSS 9% CVSS 8.8
HIGH POC This Week

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti
NVD GitHub
EPSS 85% CVSS 8.8
HIGH POC THREAT Act Now

Cacti provides an operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XSS Cacti
NVD GitHub
EPSS 64% CVSS 8.8
HIGH POC THREAT Act Now

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE LFI PHP +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cacti Fedora
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Open Redirect Cacti +1
NVD GitHub
EPSS 82% CVSS 7.2
HIGH POC THREAT This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Command Injection +2
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE PHP +3
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE SQLi +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft PHP +2
NVD GitHub
EPSS 3% CVSS 4.3
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Cacti +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 88% CVSS 9.8
CRITICAL POC THREAT Act Now

Cacti is an open source operational monitoring and fault management framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP SQLi +2
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

Cacti is an open source operational monitoring and fault management framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation RCE PHP +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_xport.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Authentication Bypass Cacti
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP Command Injection +1
NVD GitHub Exploit-DB
EPSS 3% CVSS 9.8
CRITICAL Act Now

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cacti Debian Linux +1
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Cacti +1
NVD GitHub
EPSS 86% CVSS 7.2
HIGH POC THREAT Act Now

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Cacti +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC This Month

In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Cacti +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC This Month

In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Cacti Debian Linux +1
NVD GitHub
EPSS 74% CVSS 8.8
HIGH POC THREAT This Week

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Cacti +4
NVD GitHub Exploit-DB
EPSS 37% CVSS 8.8
HIGH POC THREAT This Week

Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection PHP +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti +6
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Cacti
NVD GitHub
EPSS 3% CVSS 8.1
HIGH POC This Week

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Buffer Overflow Deserialization +3
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with a modified local_graph_id parameter. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Cacti
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

PHP Privilege Escalation Cacti
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Deserialization +2
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC This Month

Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Cacti
NVD GitHub
EPSS 3% CVSS 7.2
HIGH POC This Week

Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Cacti
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Cacti
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE PHP Cacti
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Cacti
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Cacti
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Cacti
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Cacti
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

auth_login.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Privilege Escalation Cacti +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in include/top_graph_header.php in Cacti 0.8.8f and earlier allows remote attackers to execute arbitrary SQL commands via the rra_id parameter in a properties action to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

SQL injection vulnerability in the host_new_graphs_save function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Cacti
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Cacti
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Cacti Fedora
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Cacti Fedora
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD
EPSS 0% CVSS 3.5
LOW POC Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Debian Linux Cacti +1
NVD
EPSS 0% CVSS 3.5
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Debian Linux +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE PHP Code Injection +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS PHP Opensuse +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Cacti +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

PHP Information Disclosure Cacti +3
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Cacti Debian Linux +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Cacti
NVD VulDB
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Fedora +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

PHP SQLi Debian Linux +2
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Cacti +1
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy