CVE-2026-39938

9.8 CRITICAL
Published: June 24, 2026 Modified: June 24, 2026
View on NVD

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04
Source: security-advisories@github.com
https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6
Source: security-advisories@github.com

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22 CWE-78

Related CVEs

CVE-2026-39955 9.8
CVE-2026-39948 N/A
CVE-2026-39900 N/A
CVE-2026-39899 N/A
CVE-2025-8106 N/A