External risk intelligence

Cacti SQL Injection Vulnerability in graph_view.php

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-39955

Cacti is a performance and fault management framework commonly deployed as a web-based monitoring application. The vulnerability exists in a graph viewing component that is typically accessed via a web browser, making it a likely candidate for being an internet-facing or internal-facing web application interface reachable by users.

SQL Injection

Cacti

before 1.2.31

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Cacti, an open-source framework used for performance and fault management. This issue allows for unauthenticated attackers to inject malicious SQL code, potentially leading to unauthorized access or modification of data within the system. The primary concern is to confirm if our organization utilizes this technology and, if so, to understand the potential exposure.

  • Unauthorized data access possible.
  • Important for monitoring system integrity.
  • Confirm Cacti use and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the graph viewing feature of Cacti. Because the vulnerability exists before authentication and can be reached over the network, an attacker does not need any prior access to the system. Successful exploitation allows an attacker to inject malicious SQL commands, potentially leading to unauthorized access, modification, or deletion of sensitive data.

  • No authentication required for access.
  • Triggered via the graph viewing feature.
  • Risk of data compromise and system control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary SQL commands by manipulating graph views. When supported by the advisory, this could affect system data integrity, application behavior, and potentially lead to unauthorized access or modification of sensitive information stored within the Cacti framework.

  • System and application data.
  • Unauthenticated SQL injection via web interface.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Cacti framework, a performance and fault management tool, is affected by a critical pre-authentication SQL injection vulnerability. Teams responsible for web applications and monitoring infrastructure should prioritize identifying all Cacti deployments, assessing their exposure, and confirming business criticality. Remediation planning should then be based on this risk assessment, involving coordination with relevant application or platform owners.

  • Application and platform teams own remediation.
  • Verify Cacti instance exposure and criticality.
  • Plan and execute updates during maintenance.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cacti used for?

Cacti is an open-source framework designed for network performance and fault management. It is primarily used by technical teams to monitor the health, status, and data trends of IT infrastructure, often visualized through web-based graphs and reporting dashboards.

What does SQL injection mean for CVE-2026-39955?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. In the context of CVE-2026-39955, it means the application does not properly sanitize input in its graph viewing feature. An attacker can supply malicious database commands through this input, which the system then executes against its underlying database, potentially allowing them to view or alter sensitive information.

How is this vulnerability triggered?

The flaw is triggered when an attacker sends a crafted request to the graph_view.php component. Because this happens before the application checks for user credentials, no login is required to attempt the attack. It is important to note that simply navigating to standard, legitimate monitoring pages without malicious input does not trigger the vulnerability.

Is my Cacti instance relevant to this threat?

Halo Surface Signal indicates that because Cacti is a web-based monitoring application, it is frequently reachable by users via a web browser. If your Cacti deployment is configured to be accessible over the network, it faces a higher risk of being reached by an attacker, regardless of whether it is hosted on an internal network or exposed to the public internet.

What is the first step to address this CVE?

You should prioritize identifying all Cacti instances within your infrastructure and determining which versions are currently in use. Once identified, coordinate with the platform owners to plan an update to version 1.2.31 or later, as this release contains the necessary fix for the underlying input validation issue.

References