CVE-2026-39893
Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewing supports guest access via the configured guest user), so the SQLi was reachable pre-auth on installs with guest viewing enabled. This issue was fixed in version 1.2.31.
In plain language
AI Worth attentionCacti versions 1.2.30 and earlier have an unauthenticated SQL injection flaw in the graph viewing page; if your Cacti “guest viewing” is enabled, a typical small business should treat this as a serious fix-now issue.
Unauthenticated SQL injection in Cacti’s `graph_view.php` via the `rfilter` parameter’s `RLIKE` clause allows arbitrary database read/modify/delete when guest viewing is enabled.
What to do now
- Check whether your Cacti guest viewing feature is enabled in your Cacti configuration.
- Check your Cacti version number and whether it is 1.2.30 or earlier.
- Upgrade Cacti to version 1.2.31 or later (this is the fixed version).
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-39893 and every CVE in our database. Create a free account — no credit card required.
Create Free Account