CVE Catalog

CVE-2026-39938

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.

Risk Assessment

An unauthenticated attacker can read arbitrary files on the server, potentially leading to disclosure of sensitive data such as configurations, passwords, or private keys.

Recommendation

Immediately upgrade Cacti to version 1.2.31 or later. If upgrading is not possible, restrict access to the Cacti interface to trusted networks only.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS