CVE-2026-39951
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
Risk Assessment
An attacker can exploit this vulnerability to execute arbitrary SQL queries on the database, potentially leading to data leakage, modification, or deletion, as well as privilege escalation within the system.
Recommendation
Immediately update Cacti to version 1.2.31 or later. If updating is not possible, restrict access to the Reports feature to trusted users only.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.

