Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN662
_____________________________________________________________________

DATE                : 22/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cacti versions prior to 1.2.31.
 
=====================================================================
https://www.cacti.net/info/changelog/1.2.31
https://github.com/Cacti/cacti/security/advisories/GHSA-69gg-mjfm-jjpc
https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6
https://github.com/Cacti/cacti/security/advisories/GHSA-gp82-qhrg-crv7
https://github.com/Cacti/cacti/security/advisories/GHSA-9jqv-4cpm-vm2c
https://github.com/Cacti/cacti/security/advisories/GHSA-pf37-v86f-5xwp
https://github.com/Cacti/cacti/security/advisories/GHSA-xq98-376r-hv9j
https://github.com/Cacti/cacti/security/advisories/GHSA-j9jv-6xjq-9hhj
https://github.com/Cacti/cacti/security/advisories/GHSA-mjvw-mhj5-9jcj
https://github.com/Cacti/cacti/security/advisories/GHSA-pr9x-34w8-4mf7
_____________________________________________________________________

Pre-authentication SQL injection via rfilter RLIKE clause in
graph_view.php

Critical
netniV published GHSA-69gg-mjfm-jjpc Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31

Description

Internal audit finding by the Cacti security team.
Affected Component

graph_view.php. SQL RLIKE clause construction in graph filter.
Root Cause

The rfilter request variable was concatenated into a RLIKE SQL clause
without sanitization. The endpoint does not require authentication
(graph viewing supports guest access via the configured guest user),
so the SQLi was reachable pre-auth on installs with guest viewing
enabled.


Fix

Merged in PR #7054 (commit 891344a5c10b8687a3d2a5d26e6de20f13069e2a,
branch 1.2.x, merged 2026-04-26).

    graph_view.php:470 and graph_view.php:753: rfilter now passes
through db_qstr_rlike().
    Helper db_qstr_rlike() in lib/database.php:2002-2011 caps length
at 255, strips |, {, }, NUL, then calls db_qstr() for parameterized
quoting.

Verification

At upstream/1.2.x HEAD 11b58fd5:

$sql_where .= ' gtg.title_cache ' . db_qstr_rlike(get_request_var('rfilter'));

Audit confirms all RLIKE sinks in lib/, root *.php, and
cli/ use db_qstr_rlike(). Stripping alternation and bounded-repeat
metacharacters also limits ReDoS exposure on the RLIKE engine.


Affected Versions

1.2.x prior to next 1.2.x release containing commit 891344a5.

Severity Rationale

Pre-auth reachable on guest-enabled installs. CVSS estimated 9.8
(Critical) given network attack vector, no auth required (guest),
and confidentiality/integrity/availability impact via SQL.


Note

This advisory has CVE-2026-39893 assigned. Full RLIKE audit completed
2026-04-17 confirming no other unhardened sinks.


Fix

Addressed in: #7039

Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-39893

Weaknesses
Weakness CWE-89

Credits

    @somethingwithproof somethingwithproof Remediation developer
    @netniV netniV Coordinator
    @TheWitness TheWitness Remediation reviewer


_____________________________________________________________________


Unauthenticated LFI via graph_theme and rrdtool IPC serialization
hardening

Critical
netniV published GHSA-rm7p-qcqm-x5m6 Jun 19, 2026

Package
cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31

Description

Updated Fix Status

Previous fix used basename() only, which is bypassable. Strengthened
with filesystem-allowlist validation in cacti_validate_theme() —
https://github.com/somethingwithproof/cacti/tree/fix/ghsa-rm7p-allowlist

Reviewed in session 2026-04-17.

Fix
Addressed by: #6966

Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-39938

Weaknesses
Weakness CWE-22
Weakness CWE-78

Credits

    @kx00007 kx00007 Reporter
    @somethingwithproof somethingwithproof Remediation developer
    @davidkm-ai davidkm-ai Reporter
    @netniV netniV Coordinator

_____________________________________________________________________


Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP
in graph_view.php

Critical
netniV published GHSA-gp82-qhrg-crv7 Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31

Description

Status

Fix branch in private advisory repository.

Security hardening context available in PR #7054 and PR #7055.


Fix
Addressed in: #7039

Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-39955

Weaknesses
Weakness CWE-89

Credits

    @davidkm-ai davidkm-ai Reporter
    @netniV netniV Coordinator

_____________________________________________________________________

SQL Injection via rfilter parameter in RLIKE clauses
Critical
netniV published GHSA-9jqv-4cpm-vm2c Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31


Description

Internal audit finding by the Cacti security team.
SQL Injection via rfilter Parameter in RLIKE Clauses (Multiple Files)
Integration Test Result

When rfilter passes through gfrv(FILTER_VALIDATE_IS_REGEX), the payload
IS blocked. Cacti's validate_is_regex() rejects the SQL breakout
pattern a' OR 1=1 -- because the unbalanced quote causes a PCRE
compilation error.

However, graph_view.php uses grv('rfilter') (raw, no filter), NOT gfrv().
The quote passes through grv() unmodified and reaches the RLIKE SQL sink.
This is the pre-auth vector tracked in GHSA-69gg-mjfm-jjpc.


Affected Sites Using grv() (VULNERABLE)

    lib/html_graph.php:858, 1234 (pre-auth via graph_view.php)
    lib/html_tree.php:1432, 1489, 1640, 1724 (pre-auth via graph_view.php)
    aggregate_graphs.php:1578 (post-auth)

Sites Using gfrv() with FILTER_VALIDATE_IS_REGEX (BLOCKED)

Files that validate rfilter with gfrv() before using it in RLIKE clauses
are NOT vulnerable to this specific injection pattern.

Fix

All RLIKE string-concatenation sites must use db_qstr() or parameterized
queries regardless of input validation, as defense-in-depth.


Relationship

This advisory overlaps significantly with GHSA-69gg-mjfm-jjpc. The pre-auth
vector through grv() is the critical path.

Fix
Addressed by: 136ae6e


Severity
Critical

CVE ID
CVE-2026-39948

Weaknesses
Weakness CWE-89

Credits

    @somethingwithproof somethingwithproof Remediation developer
    @netniV netniV Coordinator

_____________________________________________________________________


Stored SQL Injection via graph_name_regexp in Reports feature
High
netniV published GHSA-pf37-v86f-5xwp Jun 18, 2026

Software
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31

Description

Updated Fix Status

Full graph_name_regexp audit confirmed — all SQL sinks use db_qstr_rlike(),
all HTML display uses html_escape(). No additional fix needed.

Reviewed in session 2026-04-17.

Fix

Addressed in: #7039


Severity
High
7.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVE ID
CVE-2026-39951

Weaknesses
Weakness CWE-89

Credits

    @netniV netniV Coordinator

_____________________________________________________________________


Command Injection via escape_command() no-op in RRDtool execution
High
netniV published GHSA-xq98-376r-hv9j Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31


Description

Internal audit finding by the Cacti security team.
Command Injection in RRDtool Execution via escape_command() No-Op

Affected Component

lib/rrd.php:33-34 (escape_command), lib/rrd.php:378, 421 (__rrd_execute)

Root Cause

The escape_command() function at lib/rrd.php:33 is a no-op: it returns
$command unchanged. The command line built by rrdtool_function_graph() is
passed through this function and then to shell_exec($full_commandline)
at line 421.

The rrdtool_function_tune() function was previously vulnerable but was
fixed in commit bbcde92 (all tune parameters now wrapped with
cacti_escapeshellarg()).

The residual risk is in __rrd_execute() where text_format values from graph
templates (which may contain host variable substitutions) reach shell_exec
without adequate escaping.
Status

PARTIALLY FIXED. The tune function is fixed. The graph rendering shell_exec
path has residual injection surface.

Fix

    Replace escape_command() no-op with actual sanitization, or remove it
and ensure all callers escape arguments
    Audit all values flowing into $command_line for __rrd_execute
    Consider defaulting to the pipe path (fwrite), which does not invoke
a shell


Severity
High

CVE ID
CVE-2026-40079

Weaknesses
Weakness CWE-78

Credits

    @netniV netniV Coordinator
    @TheWitness TheWitness Remediation reviewer


_____________________________________________________________________


SQL Injection in managers.php
High
netniV published GHSA-j9jv-6xjq-9hhj Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31


Description

SQL Injection via unsanitized unserialize+implode in managers.php

Affected Component

managers.php:756-766

Root Cause

    managers.php:756: $selected_items = cacti_unserialize(stripslashes(gnrv('selected_graphs_array')));

    cacti_unserialize() calls unserialize() with allowed_classes=>false (prevents
object injection but allows arbitrary string arrays)

    managers.php:760-766: db_execute('DELETE FROM snmpagent_managers
WHERE id IN (' . implode(',', $selected_items) . ')') -- array values from
deserialized user input are directly imploded into SQL without integer
validation


Authentication

Post-auth (requires SNMP agent management permissions).


PoC

POST /cacti/managers.php
action=actions&drp_action=1&selected_graphs_array=a:1:{i:0;s:25:"1) OR 1=1; DROP TABLE x--";}


Fix

$selected_items = array_map('intval', $selected_items);

before all implode() calls. Audit all other form_actions() implementations
for the same pattern.


Fix: 52032e760


Severity
High
7.2/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-40083

Weaknesses
Weakness CWE-89

Credits

    @Texuguinho1234 Texuguinho1234 Reporter
    @jpgjpgjpgjpg jpgjpgjpgjpg Reporter
    @netniV netniV Coordinator


_____________________________________________________________________


Arbitrary File Read via Path Traversal in Report `format_file` Parameter
Moderate
netniV published GHSA-mjvw-mhj5-9jcj Jun 19, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31

Description

Arbitrary File Read via Path Traversal in Report format_file Parameter

Affected Component

lib/html_reports.php:283 (save), lib/reports.php:667-670 (load)
Root Cause

Stage 1 (stored injection): lib/html_reports.php:283 stores
$save['format_file'] = $post['format_file'] directly into the database
with zero validation.

Stage 2 (file read): lib/reports.php:667 concatenates
CACTI_PATH_FORMATS . '/' . $format_file and line 670 calls file($format_file),
reading arbitrary files.


Authentication

Post-auth (requires realm 22, report management permission).

PoC

POST /cacti/reports.php
action=save&save_component_report=1&id=1&format_file=../../include/config.php&...

Then view/generate the report to see config.php contents (including DB credentials).


Fix

    Save path: $save['format_file'] = basename($post['format_file']);
    Load path: $format_file = CACTI_PATH_FORMATS . '/' . basename($format_file);

Fix

Addressed in: #7039


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2026-40084

Weaknesses
Weakness CWE-22

Credits

    @TristanInSec TristanInSec Reporter
    @netniV netniV Coordinator


_____________________________________________________________________


Path traversal via filename parameter in package_import.php
Moderate
netniV published GHSA-pr9x-34w8-4mf7 Jun 18, 2026

Package
cacti/cacti

Affected versions
<= 1.2.30

Patched versions
1.2.31


Description

Internal audit finding by the Cacti security team.

Updated Fix Status

Previous fix had a symlink TOCTOU gap. validate_path_within() now verifies the
resolved canonical path —
https://github.com/somethingwithproof/cacti/tree/fix/ghsa-pr9x-symlink-toctou

Reviewed in session 2026-04-17.

Fix: 637e0d618

Severity
Moderate

CVE ID
CVE-2026-39899

Weaknesses
Weakness CWE-22

Credits

    @somethingwithproof somethingwithproof Reporter
    @netniV netniV Coordinator



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================