pkg:Debian/cacti
193 total CVEsCRITICAL9HIGH44MEDIUM63
✅ Check your installed version
All known vulnerabilities
- from 0, < 1.2.16+ds1-2+deb11u1
- from 0, < 1.2.16+ds1-2+deb11u5
- CRITICAL9.8CVE-2025-26520Cacti through 1.2.29 allows SQL injection in the template function in host_templates.php via the graph_template parameter.from 0, < 1.2.30+ds1-1
- CRITICAL9.8CVE-2023-39361Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u2
- from 0, < 1.2.16+ds1-2+deb11u1
- from 0, < 1.2.16+ds1-2+deb11u1
- CRITICAL9.8CVE-2017-12065spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end p…from 0, < 1.1.16+ds1-1
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0
- HIGH8.8CVE-2005-10004Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script.from 0, < 0.8.6d-1
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.28+ds1-4
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.26+ds1-1
- from 0, < 1.2.16+ds1-2+deb11u3
- HIGH8.8CVE-2023-49084Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).from 0, < 1.2.16+ds1-2+deb11u3
- from 0, < 1.2.24+ds1-1+deb12u1
- from 0, < 1.2.16+ds1-2+deb11u2
- from 0, < 1.2.16+ds1-2+deb11u2
- from 0, < 1.2.2+ds1-2+deb10u6
- from 0, < 1.2.16+ds1-2+deb11u2
- from 0, < 1.2.16+ds1-2
- HIGH8.8CVE-2020-8813graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest…from 0, < 1.2.10+ds1-1
- HIGH8.8CVE-2020-7237Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_…from 0, < 1.2.9+ds1-1
- HIGH8.8CVE-2020-7058data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> P…from 0
- HIGH8.8CVE-2016-10700auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by…from 0, < 0.8.8h+ds1-5
- HIGH8.8CVE-2014-4000Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted s…from 0, < 0.8.8e+ds1-1
- HIGH8.8CVE-2017-1000031SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the…from 0, < 0.8.8e+ds1-1
- from 0, < 0.8.8a+dfsg-5+deb7u9
- from 0, < 0.8.8g+ds1-1
- HIGH8.8CVE-2016-3172SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via…from 0, < 0.8.8g+ds1-2
- from 0, < 0.8.7g-1+squeeze9+deb6u14
- from 0, < 0.8.8f+ds1-4
- HIGH8.8CVE-2016-3659SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the…from 0, < 0.8.8h+ds1-1
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.8+ds1-1
- from 0, < 0.8.8h+ds1-10+deb9u1
- from 0, < 0.8.8b+dfsg-8+deb8u8
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u5
- HIGH7.5CVE-2023-37543Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for accessing any graph via a modified local_graph_id parameter to graph_…from 0, < 1.2.6+ds1-1
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u2
- HIGH7.2CVE-2020-14295A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter.from 0, < 1.2.13+ds1-1
- HIGH7.2CVE-2017-16660Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root…from 0, < 1.1.27+ds1-3
- HIGH7.2CVE-2017-16641lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in a…from 0, < 1.1.27+ds1-3
- MEDIUM6.5CVE-2023-46490SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in th…from 0
- MEDIUM6.5CVE-2020-13231In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for an admin email change.from 0, < 1.2.11+ds1-1
- MEDIUM6.5CVE-2019-17357Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled whe…from 0, < 1.2.8+ds1-1
- MEDIUM6.3CVE-2023-39365Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u2
- MEDIUM6.1CVE-2023-50250Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u2
- from 0, < 1.2.16+ds1-2+deb11u3
- from 0, < 1.2.16+ds1-2+deb11u3
- MEDIUM6.1CVE-2022-48547A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrar…from 0, < 0.8.7i-1
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u4
- MEDIUM6.1CVE-2021-26247As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully exec…from 0, < 0.8.7i-1
- MEDIUM6.1CVE-2020-14424Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.from 0, < 1.2.19+ds1-1
- from 0, < 1.2.2+ds1-2+deb10u5
- from 0, < 1.2.13+ds1-1
- MEDIUM6.1CVE-2020-25706A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during t…from 0, < 1.2.14+ds1-1
- from 0, < 1.2.9+ds1-1
- from 0, < 0.8.8b+dfsg-8+deb8u9
- from 0, < 1.1.27+ds1-3
- MEDIUM6.1CVE-2017-15194include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.from 0, < 1.1.25+ds1-1
- MEDIUM6.1CVE-2017-12927A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.from 0, < 1.1.17+ds1-2
- MEDIUM6.1CVE-2017-1000032Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id…from 0, < 0.8.8b+dfsg-6
- MEDIUM5.4CVE-2025-45160A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29.from 0
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u5
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.16+ds1-2+deb11u4
- from 0, < 1.2.24+ds1-1+deb12u5
- from 0, < 1.2.24+ds1-1+deb12u5
- MEDIUM5.4CVE-2023-49086Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB).from 0, < 1.2.16+ds1-2+deb11u3
- MEDIUM5.4CVE-2023-39364Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u2
- MEDIUM5.4CVE-2023-39514Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u1
- MEDIUM5.4CVE-2023-39513Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u3
- MEDIUM5.4CVE-2021-3816Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the crea…from 0, < 1.2.1+ds1-1
- MEDIUM5.4CVE-2021-23225Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field…from 0, < 1.2.1+ds1-1
- from 0, < 0.8.8b+dfsg-8+deb8u7
- from 0, < 1.2.2+ds1-2
- MEDIUM5.4CVE-2018-20726A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended ch…from 0, < 1.2.1+ds1-1
- MEDIUM5.4CVE-2018-10061Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_es…from 0, < 1.1.37+ds1-1
- from 0, < 0.8.8h+ds1-10+deb9u2
- from 0, < 1.1.37+ds1-1
- MEDIUM5.4CVE-2018-10059Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['…from 0, < 1.1.37+ds1-1
- MEDIUM5.4CVE-2017-12978lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.from 0, < 1.1.18+ds1-1
- MEDIUM5.4CVE-2017-12066Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitra…from 0, < 1.1.16+ds1-1
- MEDIUM5.4CVE-2017-11691Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML…from 0, < 1.1.15+ds1-1
- MEDIUM5.4CVE-2017-11163Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web…from 0, < 1.1.12+ds1-1
- MEDIUM5.4CVE-2017-10970Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML v…from 0, < 1.1.12+ds1-1
- MEDIUM5.3CVE-2022-48538In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_lda…from 0
- from 0, < 1.2.16+ds1-2+deb11u5
- MEDIUM4.9CVE-2017-16661Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then…from 0, < 1.1.27+ds1-3
- MEDIUM4.8CVE-2023-49088Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u3
- MEDIUM4.8CVE-2023-39511Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u1
- MEDIUM4.8CVE-2023-39516Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u2
- MEDIUM4.8CVE-2023-39515Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.16+ds1-2+deb11u2
- MEDIUM4.8CVE-2023-39512Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u1
- MEDIUM4.8CVE-2023-39510Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u1
- MEDIUM4.8CVE-2023-39366Cacti is an open source operational monitoring and fault management framework.from 0, < 1.2.24+ds1-1+deb12u1
- MEDIUM4.8CVE-2018-20725A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended charac…from 0, < 1.2.1+ds1-1
- MEDIUM4.8CVE-2018-20724A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in…from 0, < 1.2.1+ds1-1
- MEDIUM4.8CVE-2018-20723A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended charac…from 0, < 1.2.1+ds1-1
- from 0, < 1.2.24+ds1-1+deb12u3
- MEDIUM4.3CVE-2023-30534Cacti is an open source operational monitoring and fault management framework.from 0
- MEDIUM4.3CVE-2020-13230In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission…from 0, < 1.2.11+ds1-1
- MEDIUM4.3CVE-2019-16723In Cacti through 1.2.6, authenticated users may bypass authorization checks (for viewing a graph) via a direct graph_json.php request with…from 0, < 1.2.7+ds1-1
- from 0, < 0.8.7g-1+squeeze9+deb6u11
- from 0, < 0.8.8f+ds1-3
- from 0, < 0.8.8a+dfsg-5+deb7u7
- from 0, < 0.8.8f+ds1-4
- from 0, < 0.8.8a+dfsg-5+deb7u8
- from 0, < 0.8.7g-1+squeeze7
- from 0, < 0.8.8e+ds1-1
- from 0, < 0.8.8a+dfsg-5+deb7u6
- —CVE-2015-2967Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or H…from 0, < 0.8.8d+ds1-1
- —CVE-2015-4454SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to…from 0, < 0.8.8d+ds1-1
- —CVE-2015-4342SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involv…from 0, < 0.8.8d+ds1-1
- from 0, < 0.8.8d+ds1-1
- from 0, < 0.8.8a+dfsg-5+deb7u5
- from 0, < 0.8.7g-1+squeeze6
- —CVE-2015-0916SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the…from 0, < 0.8.6f-1
- —CVE-2014-5026Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrar…from 0, < 0.8.8b+dfsg-7
- from 0, < 0.8.7g-1+squeeze5
- from 0, < 0.8.8a+dfsg-5+deb7u4
- from 0, < 0.8.8b+dfsg-7
- —CVE-2014-5262SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execut…from 0, < 0.8.8b+dfsg-8
- —CVE-2014-5261The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell…from 0, < 0.8.8b+dfsg-8
- —CVE-2014-4002Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (…from 0, < 0.8.8b+dfsg-6
- —CVE-2014-2709lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecif…from 0, < 0.8.8b+dfsg-4
- —CVE-2014-2328lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacha…from 0, < 0.8.8b+dfsg-4
- —CVE-2014-2327Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication o…from 0, < 0.8.8b+dfsg-6
- —CVE-2014-2708Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary…from 0, < 0.8.8b+dfsg-4
- from 0, < 0.8.8a+dfsg-5+deb7u3
- from 0, < 0.8.8b+dfsg-4
- —CVE-2013-5589SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the…from 0, < 0.8.8b+dfsg-3
- from 0, < 0.8.8b+dfsg-3
- from 0, < 0.8.7g-1+squeeze3
- —CVE-2013-1435(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspe…from 0, < 0.8.8b+dfsg-1
- from 0, < 0.8.7g-1+squeeze2
- from 0, < 0.8.8b+dfsg-1
- —CVE-2011-5223Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication o…from 0, < 0.8.7i-1
- —CVE-2011-4824SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the logi…from 0, < 0.8.7i-1
- —CVE-2010-2545Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution an…from 0, < 0.8.7g-1
- —CVE-2010-2544Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solut…from 0, < 0.8.7g-1
- —CVE-2010-2543Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary…from 0, < 0.8.7g-1
- —CVE-2010-1645Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administr…from 0, < 0.8.7g-1
- from 0, < 0.8.7b-2.1+lenny4
- from 0, < 0.8.7g-1
- from 0, < 0.8.7b-2.1+lenny3
- from 0, < 0.8.7e-4
- from 0, < 0.8.7b-2.1+lenny2
- from 0, < 0.8.7e-3
- —CVE-2009-4112Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux…from 0, < 1.2.1+ds1-1
- —CVE-2009-4032Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vecto…from 0, < 0.8.7e-1.1
- —CVE-2008-0785Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arb…from 0, < 0.8.7b-1
- from 0, < 0.8.7b-1
- —CVE-2008-0786CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote at…from 0, < 0.8.7b-1
- —CVE-2008-0784graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_i…from 0, < 0.8.7b-1
- from 0, < 0.8.6i-3.3
- from 0, < 0.8.7a-1
- from 0, < 0.8.6c-7sarge5
- —CVE-2007-3113Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large val…from 0, < 0.8.6j-1.1
- from 0, < 0.8.6j-1.1
- from 0, < 0.8.6i-3.6
- from 0, < 0.8.6c-7sarge4
- from 0, < 0.8.6i-3
- —CVE-2006-0806Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to i…from 0, < 0.8.6d-1
- —CVE-2006-0410SQL injection vulnerability in ADOdb before 4.71, when using PostgreSQL, allows remote attackers to execute arbitrary SQL commands via unsp…from 0, < 0.8.6d-1
- from 0, < 0.8.6c-7sarge3
- —CVE-2006-0147Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including…from 0, < 0.8.6d-1
- from 0, < 0.8.6d-1
- —CVE-2005-2148Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execu…from 0, < 0.8.6f-1
- —CVE-2005-2149config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain p…from 0, < 0.8.6f-1
- from 0, < 0.8.6e-1
- from 0, < 0.6.7-2.5
- —CVE-2005-1526PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code…from 0, < 0.8.6e-1
- —CVE-2005-1525SQL injection vulnerability in config_settings.php for Cacti before 0.8.6e allows remote attackers to execute arbitrary SQL commands via th…from 0, < 0.8.6e-1
- —CVE-2004-1736Cacti 0.8.5a allows remote attackers to gain sensitive information via an HTTP request to (1) auth.php, (2) auth_login.php, (3) auth_change…from 0, < 0.8.5a-5
- —CVE-2004-1737SQL injection vulnerability in auth_login.php in Cacti 0.8.5a allows remote attackers to execute arbitrary SQL commands and bypass authenti…from 0, < 0.8.5a-5
- —CVE-2002-1478Cacti before 0.6.8 allows attackers to execute arbitrary commands via the "Data Input" option in console mode.from 0, < 0.6.8a-2
- from 0, < 0.6.8a-2
- from 0, < 0.6.7-2.1
- —CVE-2002-1479Cacti before 0.6.8 stores a MySQL username and password in plaintext in config.php, which has world-readable permissions, which allows loca…from 0, < 0.6.8-1