CVE-2025-45160
HTML Injection in Cacti File Upload Causes Reflected XSS
Publication date: 2026-01-29
Last updated on: 2026-02-02
Assigner: MITRE
Description
Description
, ,
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cacti | cacti | to 1.2.29 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-45160 is an HTML injection vulnerability in Cacti versions up to 1.2.29. It occurs in the file upload functionality where, if a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without properly sanitizing it. This allows an attacker to inject arbitrary HTML elements (such as <h1>, <b>, <svg>) into the rendered error message popup, altering the page's content and appearance. The vulnerability is specifically in the POST endpoint `/templates_import.php?preview_only=true` within the filename parameter during error handling. Although it does not allow JavaScript execution, it can be used for UI redressing or social engineering by misleading users through manipulated popup content. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject arbitrary HTML into error popups, which can alter the user interface and potentially mislead users. While it does not allow execution of JavaScript, the injected HTML can be used for UI redressing or social engineering attacks, tricking users into performing unintended actions or believing false information presented in the manipulated popup. This can undermine user trust and potentially lead to further security issues if users are deceived. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to upload a file with an invalid format and a crafted filename containing HTML tags (e.g., <h1>HACK.xml) to the authenticated template file upload endpoint `/templates_import.php?preview_only=true`. Observing whether the error popup reflects the filename with injected HTML elements indicates the presence of the vulnerability. Since this requires authentication and interaction with the web interface, detection involves manual testing or automated scripts that simulate this upload. Specific commands are not provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Cacti to a version later than 1.2.29, such as 1.2.30 or newer, where this vulnerability is addressed. Additionally, ensure that PHP is updated to version 8.1 or higher, apply all relevant database schema upgrades using the provided upgrade scripts, and manage dependencies via Composer to incorporate security patches. Restrict file upload permissions and validate/sanitize filenames on the server side to prevent injection. Monitoring and following official Cacti project updates and applying recommended configuration settings also help mitigate this vulnerability. [1]