SQL Injection Vulnerability in Cacti Performance Management Framework
CVE-2026-40083

7.2HIGH

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-40083?

Cacti, an open-source performance and fault management framework, is susceptible to SQL injection due to improper handling of deserialized data in the managers.php file. Specifically, when the application unserializes user input without sufficient validation, it allows arbitrary string arrays to be executed within SQL commands. The vulnerability arises at line 756 where deserialized values are directly integrated into an SQL DELETE statement without sanitization, leading to potential unauthorized access and manipulation of the database. This issue is addressed in Cacti version 1.2.31.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-j...

x_refsource_CONFIRM

https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40083 Data

JSON