Unauthenticated Local File Inclusion in Cacti by Cacti Project
CVE-2026-39938

9.8CRITICAL

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-39938?

Cacti, an open-source performance and fault management framework, is vulnerable to unauthenticated Local File Inclusion (LFI) in versions 1.2.30 and earlier. This vulnerability arises from inadequate input validation on the graph_theme parameter and rrdtool IPC serialization hardening. Successful exploitation of this vulnerability allows attackers to include arbitrary files, potentially compromising sensitive information and system integrity. Users are strongly urged to upgrade to version 1.2.31 or later to mitigate this security risk.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-r...

x_refsource_CONFIRM

https://github.com/Cacti/cacti/commit/9871f0cef9af285398d...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39938 Data

JSON