SB20260619121 - Multiple vulnerabilities in Cacti

Security Bulletin ID SB20260619121

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-46531)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in create_all_header_nodes() in lib/api_automation.php when processing a stored field value from automation_tree_rule_items.field during automation rule execution. A remote privileged user can store a crafted SQL fragment that is later executed to disclose sensitive information.

The injected query result is written into graph_tree_items.title and rendered in the Cacti tree UI. Exploitation requires an administrator to trigger the standard Apply Automation Rules bulk action.

2) Use of Function with Inconsistent Implementations (CVE-ID: CVE-2026-39894)

CWE-ID: CWE-474 - Use of Function with Inconsistent Implementations

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to corrupt metric values.

The vulnerability exists due to use of function with inconsistent implementations in rrdtool_function_update() when formatting numeric metric values for RRDtool updates. A remote attacker can cause locale-sensitive comma decimal formatting to be used to corrupt metric values.

Exploitation requires the server to use an LC_NUMERIC locale with a comma decimal separator.

3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-40941)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass package signature validation and import self-signed packages.

The vulnerability exists due to improper verification of cryptographic signature in the package import signature validation mechanism when processing package imports. A remote attacker can supply a self-signed package to bypass package signature validation and import self-signed packages.

4) SQL injection (CVE-ID: CVE-2026-39951)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the Reports feature when processing the graph_name_regexp parameter. A remote user can supply a specially crafted graph_name_regexp value to disclose sensitive information and modify data.

5) Path traversal (CVE-ID: CVE-2026-39899)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to access files outside the intended directory.

The vulnerability exists due to path traversal in the filename parameter of package_import.php when handling package import requests. A remote user can supply a crafted filename parameter to access files outside the intended directory.

6) Cross-site scripting (CVE-ID: CVE-2026-39900)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in auth_profile.php when processing the tab parameter in a JavaScript string context. A remote attacker can send a specially crafted request to execute arbitrary script in the victim's browser.

7) Cross-site scripting (CVE-ID: CVE-2026-39897)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in html_auth_footer error message output when handling crafted input in error messages. A remote attacker can supply specially crafted input to execute arbitrary script in a user's browser.

8) Session Fixation (CVE-ID: CVE-2026-40082)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to hijack a user's authenticated session.

The vulnerability exists due to session fixation in auth_login.php and include/auth.php when processing login requests. A remote attacker can set a known session identifier in the victim's browser and wait for the victim to log in to hijack a user's authenticated session.

User interaction is required because the victim must log in using the attacker-fixed session identifier.

Remediation

Install update from vendor's website.

SB20260619121 - Multiple vulnerabilities in Cacti

Breakdown by Severity

Description

Remediation

References

Please verify you're human