CVE-2026-40079
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk62th percentile — higher than 62% of all known CVEs
Summary
Cacti versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function in lib/rrd.php, which returns the command unchanged. The rrdtool_function_graph() function passes the built command to shell_exec() through this ineffective function, and the risk is that text_format values from graph templates (which may contain host variable substitutions) reach shell_exec() without adequate escaping.
Risk Assessment
An attacker can inject arbitrary system commands, leading to full compromise of the Cacti server, data theft, or further attacks on the infrastructure.
Recommendation
Immediately update Cacti to version 1.2.31 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built by rrdtool_function_graph() is passed through this function and then to shell_exec($full_commandline). The risk is in __rrd_execute() where text_format values from graph templates (which may contain host variable substitutions) reach shell_exec without adequate escaping. This issue has been addressed in version 1.2.31.

