CVE-2026-39893
Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
| CWE | CWE-89 |
| Vendor | cacti |
| Product | cacti |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for cacti cacti
Be the first to know when new critical vulnerabilities affecting cacti cacti are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Cacti / cacti
< 1.2.31