CVE-2026-39951
Received Received - Intake
Stored SQL Injection in Cacti Reports Feature

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-39951
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39951 is a stored SQL injection vulnerability found in the Reports feature of Cacti versions 1.2.30 and earlier. It occurs due to improper neutralization of special elements in the `graph_name_regexp` parameter, which allows attackers to inject malicious SQL commands into the system.

This vulnerability has been fixed in version 1.2.31 by using safer functions like `db_qstr_rlike()` for SQL queries and `html_escape()` for HTML displays to prevent exploitation.

Impact Analysis

This vulnerability can have serious impacts including high confidentiality loss, as attackers may access sensitive data through injected SQL commands.

It also causes moderate impacts on data integrity and availability, meaning attackers could alter or disrupt data and services.

The vulnerability is exploitable remotely over the network with low attack complexity, requiring only low privileges and no user interaction.

Detection Guidance

The vulnerability is a stored SQL injection in the Reports feature of Cacti versions 1.2.30 and earlier, specifically through the graph_name_regexp parameter. Detection would involve monitoring or testing for SQL injection attempts targeting this parameter.

Since the vulnerability involves SQL injection via a specific parameter, one way to detect it is by analyzing web requests to the Reports feature for suspicious or malformed input in the graph_name_regexp parameter.

No explicit detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Cacti to version 1.2.31 or later, where the vulnerability has been fixed.

The fix includes using safer functions such as db_qstr_rlike() for SQL queries and html_escape() for HTML output to prevent SQL injection and related attacks.

Additionally, applying security hardening measures such as input validation, escaping outputs, and improving session security as described in the security hardening commit can further reduce risk.

Compliance Impact

The vulnerability in Cacti versions 1.2.30 and prior is a stored SQL injection that allows attackers to execute malicious SQL commands, leading to high confidentiality loss and moderate integrity and availability impacts.

Such a vulnerability could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity and availability.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39951. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart