Open Redirect Vulnerability in Cacti Performance Management Framework
CVE-2026-40080

6.1MEDIUM

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-40080?

Cacti, an open-source performance and fault management framework, is susceptible to an Open Redirect vulnerability. This issue arises from inadequate validation during the redirect process, where the system checks for a substring in the HTTP referer instead of the host. As a result, if a user's login options are set to redirect after logging in, they could be inadvertently redirected to a malicious site. Specifically, an attacker could exploit this flaw by crafting a referer such as 'https://evil.com/cacti/', which successfully matches the generic path used by Cacti. The vulnerability, discovered in versions prior to 1.2.31, has since been addressed in an update that includes proper validation mechanisms to prevent such exploitative redirects.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-6...

x_refsource_CONFIRM

https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40080 Data

JSON