CVE-2026-39893
CRITICAL
NVD
CVSS Score
9.8
Severity
CRITICAL
Published
Jun 24, 2026
Vendor
unknown
Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.