Locale-Dependent Decimal Formatting Vulnerability in Cacti by Cacti
CVE-2026-39894

2.9LOW

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
24 June 2026

What is CVE-2026-39894?

Cacti, an open-source performance and fault management framework, has a critical issue in versions 1.2.30 and below related to locale-dependent decimal formatting within the rrdtool_function_update() function. This vulnerability arises due to improper handling of numeric values based on server locale settings. When the server's locale is set to one that uses a comma as a decimal separator, such as de_DE, numeric values are converted incorrectly. For example, the value 1.5 becomes '1,5', which is incompatible with RRDtool's expectations. This misconfiguration can lead to significant data integrity issues, causing metric data to shift into incorrect columns or be silently lost during processing. Fortunately, this issue requires specific server misconfigurations and has been resolved in version 1.2.31.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-2...
x_refsource_CONFIRM
https://github.com/Cacti/cacti/issues/7011
x_refsource_MISC
https://github.com/Cacti/cacti/commit/d2a698854956e9e4e53...
x_refsource_MISC

CVSS V3.1

Score:
2.9
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.