CVE-2025-45160

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
https://github.com/Cacti/cacti

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de inyección HTML existe en la funcionalidad de carga de archivos de Cacti <= 1.2.29. Cuando se carga un archivo con un formato inválido, la aplicación refleja el nombre de archivo enviado de vuelta en una ventana emergente de error sin una sanitización adecuada. Como resultado, los atacantes pueden inyectar elementos HTML arbitrarios (p. ej., , <b>, ) en la página renderizada. NOTA: Múltiples terceros, incluyendo al mantenedor, han declarado que no pueden reproducir este problema después de 1.2.27.</b>

02 Feb 2026, 23:15

Type	Values Removed	Values Added
Summary	(en) A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page.	(en) A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

29 Jan 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-29 18:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-45160

Mitre link : CVE-2025-45160

CVE.ORG link : CVE-2025-45160

JSON object : View

Products Affected

No product.

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

5.4 /10