Path Traversal in Cacti Performance Management Framework by Cacti
CVE-2026-40084

6.5MEDIUM

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-40084?

Cacti, an open-source performance and fault management framework, is susceptible to a Path Traversal vulnerability through the 'format_file' parameter in reports. This occurs in two phases: first, the software performs a stored injection where user-provided data is saved directly into the database without sufficient validation. In the subsequent phase, it reads arbitrary files from the filesystem by concatenating paths, allowing attackers to access sensitive information. This issue was addressed in version 1.2.31.

Affected Version(s)

cacti < 1.2.31

References

https://github.com/Cacti/cacti/security/advisories/GHSA-m...

x_refsource_CONFIRM

https://github.com/Cacti/cacti/commit/4c09efaebf3a9faec66...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40084 Data

JSON