CVE-2024-54146 — SQL Injection in Cacti

CWE-89 — SQL Injection9 documents5 sources

Severity

9.8CRITICALNVD

NVD8.8CNA7.6OSV8.8

EPSS

9.8%

top 7.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 27

Latest updateFeb 12

Description

Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the template function of host_templates.php using the graph_template parameter. This vulnerability is fixed in 1.2.29.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5cacti/cacti< 1.2.29+1

▶NVDcacti/cacti< 1.2.29

▶debiandebian/cacti< cacti 1.2.28+ds1-4 (forky)+1

▶Debiancacti/cacti< 1.2.28+ds1-4+3

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4755-g2xw-m698: Cacti through 1↗2025-02-12

▶

CVEList

CVE-2025-26520: Cacti through 1↗2025-02-12

▶

OSV

CVE-2025-26520: Cacti through 1↗2025-02-12

▶

OSV

CVE-2024-54146: Cacti is an open source performance and fault management framework↗2025-01-27

▶

CVEList

Cacti has a SQL Injection vulnerability when view host template↗2025-01-27

▶

📋Vendor Advisories

Debian

CVE-2025-26520: cacti - Cacti through 1.2.29 allows SQL injection in the template function in host_templ...↗2025

▶

Debian

CVE-2024-54146: cacti - Cacti is an open source performance and fault management framework. Cacti has a ...↗2024

▶