CVE-2026-39948
Received Received - Intake
SQL Injection in Cacti via Unvalidated RLIKE Clause

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-39948
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

An unauthenticated attacker can exploit this vulnerability to inject arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of the database. This means sensitive data could be exposed, altered, or deleted, and the database or application could be disrupted or taken offline.

Mitigation Strategies

The vulnerability in Cacti versions 1.2.30 and prior can be mitigated by upgrading to version 1.2.31 or later, where the issue has been fixed.

Additionally, disabling guest graph viewing can reduce exposure since the vulnerable code is reachable pre-authentication only when guest graph viewing is enabled.

Compliance Impact

The vulnerability allows an unauthenticated attacker to perform arbitrary SQL injection, compromising the confidentiality, integrity, and availability of the database.

Such a compromise could lead to unauthorized access or alteration of sensitive data, which may result in non-compliance with data protection standards and regulations such as GDPR and HIPAA.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

This vulnerability exists in Cacti versions 1.2.30 and earlier, where the 'rfilter' request parameter is retrieved without proper validation and directly concatenated into SQL queries. Specifically, the parameter is accessed using a raw method that does not apply regex validation, allowing an attacker to inject SQL code through an unbalanced-quote payload. This injection can be performed without authentication on installations that have guest graph viewing enabled, leading to potential compromise of the database.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart