CVE-2026-39899
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.
Risk Assessment
An attacker can exploit the vulnerability to read or write files outside the allowed directory, potentially leading to data leakage or system compromise.
Recommendation
It is recommended to immediately upgrade Cacti to version 1.2.31 or later. Also restrict access to package_import.php to trusted users only.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.

