Cacti project reports:
This release includes fixes for a number of vulnerabilities that were responsibly disclosed by external researchers
- CVE-2026-39894 RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
- CVE-2026-40082 Session Fixation via missing session_regenerate_id() after login
- CVE-2026-40941 Package Import Signature Validation Bypass allows self-signed packages
- CVE-2026-39897 Reflected XSS in html_auth_footer error message output
- CVE-2026-39900 Reflected XSS via tab parameter in auth_profile.php JavaScript context
- CVE-2026-46531 SQL Injection in automation_tree_rules.php
- CVE-2026-44481 Pre-auth Open Redirect via link.php Referer header
- CVE-2026-39952 Stored XSS in Report Tree expansion titles
- CVE-2026-39893 Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
- CVE-2026-22802 Authentication Bypass leads to information disclosure
- CVE-2026-40080 Open Redirect via HTTP_REFERER substring check in auth_login_redirect
- CVE-2026-40078 Backend ORDER BY SQL Injection
- CVE-2026-39949 Authenticated Remote Code Execution via Host Variable Injection
- CVE-2026-40081 Reports IDOR allows any authenticated user to modify other users' reports (CWE-639)
- CVE-2026-39948 SQL Injection via rfilter parameter in RLIKE clauses
- CVE-2026-39902 Authenticated RCE on Data Input
- CVE-2026-39898 Reflected XSS via rfilter parameter in aggregate_graphs.php input value
- CVE-2026-41884 Arbitrary File Read via Reports format_file path traversal
- CVE-2026-39955 Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php
- CVE-2026-39896 TOCTOU race in auth_process_lockout allows brute-force lockout bypass
- CVE-2026-39950 Arbitrary PHP file write via Plugin Archive extraction leading to RCE
- CVE-2026-40083 SQL Injection in managers.php via uncast array values in IN clauses
- CVE-2026-40084 Arbitrary File Read via path traversal in Report format_file parameter
- CVE-2026-39951 Stored SQL Injection via graph_name_regexp in Reports feature
- CVE-2026-39899 Path traversal via filename parameter in package_import.php
- CVE-2026-39938 Unauthenticated LFI via graph_theme and rrdtool IPC serialization hardening
- CVE-2026-39939 Path traversal in Package Import file write allows arbitrary file creation in webroot
- CVE-2026-39947 RRDtool IPC pipe poisoning via is_numeric newline bypass in rrdtool_function_update
- CVE-2026-39895 Second-order RCE via unescaped log path in exec_background shell redirection
- CVE-2026-40079 Command Injection via escape_command() no-op in RRDtool execution
- CVE-2026-40194, CVE-2026-32935 in phpseclib - This is breaking change for RRDProxy
- CVE-2026-1513 billboard.js before 3.18.0 Improper Input Sanitization Allows Remote JavaScript Execution