CVE Catalog

CVE-2026-40084

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

Cacti versions 1.2.30 and prior are vulnerable to Path Traversal via the Report format_file parameter, allowing arbitrary file read. The vulnerability involves two stages: stored injection without validation and subsequent file read using an unsanitized path.

Risk Assessment

An attacker can read sensitive system files, such as configurations, passwords, or application data, leading to information disclosure and potential attack escalation.

Recommendation

Immediately upgrade Cacti to version 1.2.31 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS