CVE-2026-40084 Cacti CVE debrief

Who should care

System administrators and security teams responsible for Cacti installations should be aware of this vulnerability. Given the medium CVSS score of 6.5, this vulnerability may not be considered critical, but it still poses a risk, especially in environments where an attacker has legitimate access to the system. Updating to version 1.2.31 or later is recommended.

Technical summary

The vulnerability occurs in two stages. First, in lib/html_reports.php at line 283, $save['format_file'] = $post['format_file'] is stored directly into the database without validation. Then, in lib/reports.php at line 667, CACTI_PATH_FORMATS . '/' . $format_file is concatenated, and line 670 calls file($format_file), allowing for arbitrary file reads. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a medium severity vulnerability.

Defensive priority

Medium priority should be given to updating Cacti installations to version 1.2.31 or later. While the CVSS score is medium, the vulnerability's impact on confidentiality is high, making it important to address.

Recommended defensive actions

• Update Cacti to version 1.2.31 or later
• Review and validate user input for file formats
• Monitor for suspicious file access patterns
• Implement additional security measures to restrict file system access
• Conduct regular security audits and vulnerability assessments

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. The CVE was published on 2026-06-25 and modified on 2026-06-29. The vulnerability has been analyzed and has a CWE-22 classification.

Official resources