CVE-2025-26520 — SQL Injection in Cacti

CWE-89 — SQL Injection6 documents6 sources

Severity

9.8CRITICALNVD

CNA7.6OSV8.8

EPSS

0.1%

top 79.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedFeb 12

Description

Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter. NOTE: this issue exists because of an incomplete fix for CVE-2024-54146.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDcacti/cacti< 1.2.29

▶debiandebian/cacti< cacti 1.2.30+ds1-1 (forky)

▶Debiancacti/cacti< 1.2.30+ds1-1+1

▶CVEListV5cacti/cacti1.2.29

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4755-g2xw-m698: Cacti through 1↗2025-02-12

▶

CVEList

CVE-2025-26520: Cacti through 1↗2025-02-12

▶

OSV

CVE-2025-26520: Cacti through 1↗2025-02-12

▶

📋Vendor Advisories

Debian

CVE-2025-26520: cacti - Cacti through 1.2.29 allows SQL injection in the template function in host_templ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-45160 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶