Path Traversal Vulnerability in Cacti Performance Management Framework
CVE-2026-39899

6.9MEDIUM

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-39899?

Cacti, an open-source performance and fault management framework, is affected by a Path Traversal vulnerability through a filename parameter located in package_import.php. This flaw allows attackers to manipulate file paths and access unauthorized files on the server. The issue has been addressed in version 1.2.31, highlighting the importance of keeping software up-to-date for robust security. Users of versions 1.2.30 and earlier should prioritize upgrading to enhance their system's defenses against potential exploitation.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-p...

x_refsource_CONFIRM

https://github.com/Cacti/cacti/pull/6899

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39899 Data

JSON