CVE-2025-45160
Unknown Unknown - Not Provided
HTML Injection in Cacti File Upload Causes Reflected XSS

Publication date: 2026-01-29

Last updated on: 2026-02-02

Assigner: MITRE

Description
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g.,

, , ) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-45160
EUVD
EUVD-2025-206538
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cacti cacti to 1.2.29 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-45160 is an HTML injection vulnerability in Cacti versions up to 1.2.29. It occurs in the file upload functionality where, if a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without properly sanitizing it. This allows an attacker to inject arbitrary HTML elements (such as <h1>, <b>, <svg>) into the rendered error message popup, altering the page's content and appearance. The vulnerability is specifically in the POST endpoint `/templates_import.php?preview_only=true` within the filename parameter during error handling. Although it does not allow JavaScript execution, it can be used for UI redressing or social engineering by misleading users through manipulated popup content. [2]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject arbitrary HTML into error popups, which can alter the user interface and potentially mislead users. While it does not allow execution of JavaScript, the injected HTML can be used for UI redressing or social engineering attacks, tricking users into performing unintended actions or believing false information presented in the manipulated popup. This can undermine user trust and potentially lead to further security issues if users are deceived. [2]

Detection Guidance

This vulnerability can be detected by attempting to upload a file with an invalid format and a crafted filename containing HTML tags (e.g., <h1>HACK.xml) to the authenticated template file upload endpoint `/templates_import.php?preview_only=true`. Observing whether the error popup reflects the filename with injected HTML elements indicates the presence of the vulnerability. Since this requires authentication and interaction with the web interface, detection involves manual testing or automated scripts that simulate this upload. Specific commands are not provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Cacti to a version later than 1.2.29, such as 1.2.30 or newer, where this vulnerability is addressed. Additionally, ensure that PHP is updated to version 8.1 or higher, apply all relevant database schema upgrades using the provided upgrade scripts, and manage dependencies via Composer to incorporate security patches. Restrict file upload permissions and validate/sanitize filenames on the server side to prevent injection. Monitoring and following official Cacti project updates and applying recommended configuration settings also help mitigate this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-45160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart