Vulnerability intelligence

CVE-2026-39893

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.

CVSS Score

9.8

Critical

EPSS — Exploit Probability

0.4%

Riskier than 28% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 30, 2026 · latest Jun 30, 2026

Coverage timeline

Cacti issues fix for critical preauth SQLi and file inclusion flaw
securityonline.info · Jun 30, 2026