CVE-2026-39893
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
In Cacti versions 1.2.30 and prior, the rfilter request variable was concatenated into an RLIKE SQL clause without sanitization. The vulnerability allows pre-auth SQL Injection (SQLi) if guest graph viewing is enabled. The issue was fixed in version 1.2.31.
Risk Assessment
An unauthenticated attacker can execute arbitrary SQL queries, potentially leading to data leakage, database modification, or privilege escalation.
Recommendation
Immediately upgrade Cacti to version 1.2.31 or later. If upgrading is not possible, consider disabling guest graph access.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

