CVE-2026-39893
Last modified
CVE-2026-39893 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Cacti | Cacti | < 1.2.31 |
References
- https://github.com/Cacti/cacti/pull/7039Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39893?
How severe is CVE-2026-39893?
How do I fix CVE-2026-39893?
Are you affected by CVE-2026-39893?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST