CVE-2024-54146
published 2025-01-27CVE-2024-54146: Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
38.63%
98.4th percentile
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | < 1.2.29 | 1.2.29 |
| cacti | cacti | <= 1.2.29 | — |
| cacti | cacti | >= 0 < 1.2.28+ds1-4 | 1.2.28+ds1-4 |
| cacti | cacti | >= 0 < 1.2.30+ds1-1 | 1.2.30+ds1-1 |
| cacti | cacti | >= 0 < 1.2.28+ds1-4 | 1.2.28+ds1-4 |
| cacti | cacti | >= 0 < 1.2.30+ds1-1 | 1.2.30+ds1-1 |
| debian | cacti | < cacti 1.2.28+ds1-4 (forky) | cacti 1.2.28+ds1-4 (forky) |
| debian | cacti | < cacti 1.2.30+ds1-1 (forky) | cacti 1.2.30+ds1-1 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection vulnerability in Cacti's template function located in host_templates.php, triggered via the `graph_template` parameter ↗
- ·CVE-2024-54146 was only partially fixed in Cacti 1.2.29; the incomplete fix led to CVE-2025-26520, which covers the same injection point (host_templates.php / graph_template parameter). Full remediation requires upgrading to 1.2.30 or the Debian package 1.2.30+ds1-1. ↗
- ·Debian bookworm/bullseye resolutions for CVE-2024-54146 are marked resolved but the specific fixed package version is only explicitly stated for forky/sid/trixie (1.2.28+ds1-4); verify the exact package version for bookworm/bullseye environments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4755-g2xw-m698: Cacti through 1
ghsa_unreviewed·2025-02-12·CVSS 7.6
CVE-2025-26520 [HIGH] CWE-89 GHSA-4755-g2xw-m698: Cacti through 1
Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.
OSV
CVE-2025-26520: Cacti through 1
osv·2025-02-12·CVSS 8.8
CVE-2025-26520 [HIGH] CVE-2025-26520: Cacti through 1
Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.
OSV
CVE-2024-54146: Cacti is an open source performance and fault management framework
osv·2025-01-27·CVSS 8.8
CVE-2024-54146 [HIGH] CVE-2024-54146: Cacti is an open source performance and fault management framework
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.
Debian
CVE-2025-26520: cacti - Cacti through 1.2.29 allows SQL injection in the template function in host_templ...
vendor_debian·2025·CVSS 7.6
CVE-2025-26520 [HIGH] CVE-2025-26520: cacti - Cacti through 1.2.29 allows SQL injection in the template function in host_templ...
Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.2.30+ds1-1)
sid: resolved (fixed in 1.2.30+ds1-1)
trixie: resolved (fixed in 1.2.30+ds1-1)
Debian
CVE-2024-54146: cacti - Cacti is an open source performance and fault management framework. Cacti has a ...
vendor_debian·2024·CVSS 7.6
CVE-2024-54146 [HIGH] CVE-2024-54146: cacti - Cacti is an open source performance and fault management framework. Cacti has a ...
Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1.2.28+ds1-4)
sid: resolved (fixed in 1.2.28+ds1-4)
trixie: resolved (fixed in 1.2.28+ds1-4)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-27
Published