CVE-2026-40084
Received Received - Intake
Path Traversal in Cacti via format_file Parameter

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-40084
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)
cacti cacti 1.2.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Cacti versions 1.2.30 and earlier. It is a Path Traversal vulnerability involving the 'format_file' parameter in report generation. The issue occurs in two stages: first, the 'format_file' parameter is stored directly into the database without validation, allowing malicious input to be saved. Second, when the report is generated, the application reads the file specified by this parameter from the filesystem without proper sanitization, enabling an attacker to read arbitrary files on the server.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to read arbitrary files on the server where Cacti is installed. This could lead to exposure of sensitive information such as configuration files, credentials, or other data stored on the system, potentially compromising the security of the affected environment.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cacti to version 1.2.31 or later, where the issue has been fixed.

Compliance Impact

The vulnerability allows arbitrary file read through a path traversal attack, potentially exposing sensitive information stored on the affected system.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access.

However, specific impacts on compliance depend on the nature of the data exposed and the environment in which Cacti is deployed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart