CVE-2026-40084
Analyzed Analyzed - Analysis Complete

Path Traversal in Cacti via format_file Parameter

Vulnerability report for CVE-2026-40084, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html_reports.php at line 283 stores $save['format_file'] = $post['format_file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI_PATH_FORMATS . '/' . $format_file, and line 670 then calls file($format_file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-29
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cacti cacti to 1.2.31 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Cacti versions 1.2.30 and earlier. It is a Path Traversal vulnerability involving the 'format_file' parameter in report generation. The issue occurs in two stages: first, the 'format_file' parameter is stored directly into the database without validation, allowing malicious input to be saved. Second, when the report is generated, the application reads the file specified by this parameter from the filesystem without proper sanitization, enabling an attacker to read arbitrary files on the server.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to read arbitrary files on the server where Cacti is installed. This could lead to exposure of sensitive information such as configuration files, credentials, or other data stored on the system, potentially compromising the security of the affected environment.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cacti to version 1.2.31 or later, where the issue has been fixed.

Compliance Impact

The vulnerability allows arbitrary file read through a path traversal attack, potentially exposing sensitive information stored on the affected system.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access.

However, specific impacts on compliance depend on the nature of the data exposed and the environment in which Cacti is deployed.

Detection Guidance

This vulnerability can be detected by checking if your Cacti installation is running version 1.2.30 or earlier, as these versions are vulnerable to arbitrary file read via path traversal through the format_file parameter.

To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the report management functionality that include suspicious path traversal sequences such as "../../" in the format_file parameter.

Example commands to detect such attempts in web server logs (assuming Apache logs) include:

  • grep -i 'POST' /var/log/apache2/access.log | grep 'format_file=.*\.\./'
  • grep -E 'format_file=.*\.\./' /var/log/apache2/access.log

Additionally, you can search your Cacti database for entries in the reports table where the format_file field contains path traversal sequences, indicating stored injection attempts.

For example, using a SQL query:

  • SELECT * FROM report_formats WHERE format_file LIKE '%../%';

If such entries exist, it indicates the vulnerability may have been exploited or attempted.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart