HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-39948Published Modified CNA GitHub_M

CVE-2026-39948: Cacti has SQL Injection via rfilter parameter in RLIKE clauses

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection via the rfilter request parameter affects Cacti versions 1.2.30 and earlier. The vulnerability is reachable over the network with no authentication required on installations where guest graph viewing is enabled, because the affected code path in graph_view.php is exposed pre-authentication. Successful exploitation gives an attacker the ability to read and modify arbitrary database contents. A patched-image rebuild at version 1.2.31 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39948 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cacti. Any image containing a Cacti installation at version 1.2.30 or earlier is flagged automatically.

Available
Triage

HarborGuard scores this issue at CVSS 9.3 (Critical, v4.0) and surfaces it accordingly in each customer organization's vulnerability queue. Per-environment compliance policy weighting is applied, and the finding is routed to the inbox configured for critical-severity database-layer vulnerabilities within that org.

Available
Patch

Because a fix exists at version 1.2.31, a patched-image rebuild is available on HarborGuard for any environment running an affected Cacti version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against the affected workload.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint (graph_view.php) is exposed over the network, so the attacker must be able to reach the Cacti web service via HTTP/HTTPS.

  • AuthenticationNot required

    The injection path is reachable pre-authentication on any Cacti installation where guest graph viewing is enabled; no account or session token is needed.

  • Victim interactionNot required

    The attacker sends a crafted HTTP request directly to the server; no user action or social engineering is required.

  • Attack complexityDetail

    Attack complexity is low: the exploit is a straightforward unbalanced-quote payload that requires no race conditions, timing windows, or environment-specific conditions to succeed.

Blast Radius

  • Reads arbitrary rows from the Cacti database, including stored credentials, user session data, and device performance records.
  • Modifies persisted database rows, allowing an attacker to alter thresholds, device configurations, or user account data.
  • Because guest graph viewing can be enabled on public-facing installations, exploitation is reachable without any prior foothold on the host or network.
  • Database integrity loss can corrupt monitoring data, causing false alerts or masking genuine infrastructure faults.

How HarborGuard Handles This

Available on HarborGuard: any image containing Cacti at a version earlier than 1.2.31 is matched against this CVE within minutes of the advisory appearing in upstream feeds, including images built internally from source. A patched-image rebuild at version 1.2.31 is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression test run against the rebuilt image, and opens a pull request against each affected workload; for critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding appears in the critical queue with remediation instructions pointing to the 1.2.31 upgrade. Until a rebuild is deployed, compensating controls to consider include network-policy rules restricting access to graph_view.php to authenticated network segments, and disabling guest graph viewing at the application level if it is not operationally required.

See how HarborGuard automates this
Affected packages
  • Cacti / cacti
    < 1.2.31
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References