← back
CVE-2026-39938

Cacti: Unauthenticated RCE on Graph Image

CVSS 9.8 CRITICALEPSS 0.4%CWE-22CWE-78
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Cacti · cacti
public PoCs found1
githubgithub.com/Polosss/By-Poloss..-..CVE-2026-399380
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6