CVE-2026-39938

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*

History

25 Jun 2026, 14:59

Type Values Removed Values Added
CPE cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
First Time Cacti
Cacti cacti
References () https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04 - () https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04 - Patch
References () https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6 - () https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6 - Patch, Vendor Advisory

24 Jun 2026, 23:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 23:16

Updated : 2026-06-26 05:16


NVD link : CVE-2026-39938

Mitre link : CVE-2026-39938

CVE.ORG link : CVE-2026-39938


JSON object : View

Products Affected

cacti

  • cacti
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')