Your message dated Sat, 11 Jul 2026 13:25:58 +0000
with message-id <[email protected]>
and subject line Bug#1140813: fixed in cacti 1.2.31+ds1-1
has caused the Debian Bug report #1140813,
regarding cacti: CVE-2026-39893 CVE-2026-39894 CVE-2026-39897 CVE-2026-39899 
CVE-2026-39900 CVE-2026-39938 CVE-2026-39948 CVE-2026-39951 CVE-2026-39955 
CVE-2026-40079 CVE-2026-40080 CVE-2026-40082 CVE-2026-40083 CVE-2026-40084 
CVE-2026-40941
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140813
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cacti
Version: 1.2.30+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for cacti.

CVE-2026-39893[0]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and prior, the rfilter request variable was
| concatenated into a RLIKE SQL clause without sanitization. The
| endpoint does not require authentication (graph viewing supports
| guest access via the configured guest user), so the SQLi was
| reachable pre-auth on installs with guest viewing enabled. This
| issue was fixed in version 1.2.31.


CVE-2026-39894[1]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and below, the locale-dependent decimal
| formatting in rrdtool_function_update() can corrupt RRDtool metric
| values. The rrdtool_function_update() function checks metric values
| with is_numeric() and concatenates them into the RRDtool update
| command via PHP string interpolation. PHP's string cast of floats is
| locale-sensitive: if LC_NUMERIC uses comma as decimal separator
| (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as
| decimal separator, causing metric data to shift into wrong columns
| or be silently dropped. No setlocale() reset is present in the
| update path. This causes a data integrity issue, but is not remotely
| exploitable; it requires server locale misconfiguration. The issue
| has been fixed in version 1.2.31.


CVE-2026-39897[2]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and below contain a Reflected XSS vulnerability in
| the html_auth_footer. This issue has been fixed in version 1.2.31.


CVE-2026-39899[3]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Path Traversal via
| filename parameter in package_import.php. This issue has been fixed
| in version 1.2.31.


CVE-2026-39900[4]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab
| parameter in the auth_profile.php JavaScript context. This issue has
| been fixed in version 1.2.31.


CVE-2026-39938[5]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have unauthenticated LFI through
| graph_theme and rrdtool IPC serialization hardening. This issue has
| been resolved in version 1.2.31.


CVE-2026-39948[6]:
| Cacti is an open source performance and fault management framework.
| In versions 1.2.30 and prior, the rfilter request parameter is
| retrieved via the raw accessor grv() (rather than gfrv() with
| FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into
| RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which
| are reachable pre-authentication through graph_view.php on
| installations with guest graph viewing enabled. Because the
| unbalanced-quote payload bypasses the regex validation that would
| otherwise reject it, an unauthenticated attacker can inject
| arbitrary SQL to compromise the confidentiality, integrity, and
| availability of the database. This advisory is similar to GHSA-69gg-
| mjfm-jjpc. This issue has been fixed in version 1.2.31.


CVE-2026-39951[7]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have a Stored SQL Injection vulnerability
| through graph_name_regexp in the Reports feature. This issue has
| been fixed in version 1.2.31.


CVE-2026-39955[8]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have pre-authentication SQL Injection via
| unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has
| been fixed in version 1.2.31.


CVE-2026-40079[9]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Command Injection due to
| lack of sanitization in the escape_command() function. The
| escape_command() function at lib/rrd.php is a no-op: it returns
| $command unchanged. The command line built by
| rrdtool_function_graph() is passed through this function and then to
| shell_exec($full_commandline). The risk is in __rrd_execute() where
| text_format values from graph templates (which may contain host
| variable substitutions) reach shell_exec without adequate escaping.
| This issue has been addressed in version 1.2.31.


CVE-2026-40080[10]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Open Redirect through a
| substring check rather than a host check at str_contains($referer,
| CACTI_PATH_URL). When the user's login_opts == '1' (redirect to
| referer after login), the function used $_SERVER['HTTP_REFERER']
| directly.  An attacker could craft a referer such as
| https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the
| substring matches and the user is redirected to evil.com after
| login. The pre-existing validate_redirect_url() helper at
| lib/html_utility.php performed proper validation but was not invoked
| from auth_login_redirect(). This issue has been fixed in version
| 1.2.31.


CVE-2026-40082[11]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have missing session_regenerate_id() after
| login, leading to Session Fixation. session_regenerate_id() is NOT
| called after successful login. The login flow at
| auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without
| rotating the session ID. The session cookie configuration is
| otherwise good (httponly=true, samesite=Strict, secure=true for
| HTTPS at include/global.php:513-537), but these do not prevent
| session fixation via same-site vectors. This issue has been fixed in
| version 1.2.31.


CVE-2026-40083[12]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have SQL Injection through unsanitized
| unserialize+implode in managers.php.  At line 756 of managers.php,
| the application assigns $selected_items by calling
| cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The
| cacti_unserialize() function calls unserialize() with
| allowed_classes set to false, which prevents object injection but
| still allows arbitrary string  arrays to be deserialized. Then, at
| lines 760 to 766, the deserialized array values are passed directly
| into db_execute('DELETE FROM snmpagent_managers  WHERE id IN (' .
| implode(',', $selected_items) . ')'), where they are imploded into
| the SQL statement without any integer validation, resulting in SQL
| Injection when using SNMP agent management permissions. This issue
| has been fixed in version 1.2.31.


CVE-2026-40084[13]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior are vulnerable to Path Traversal  through
| the Report format_file Parameter, causing arbitrary file read. This
| vulnerability occurs in two stages. In the first stage (stored
| injection), lib/html_reports.php at line 283 stores
| $save['format_file'] =  $post['format_file'] directly into the
| database without any validation. In the second stage (file read),
| lib/reports.php at line 667 concatenates  CACTI_PATH_FORMATS . '/' .
| $format_file, and line 670 then calls file($format_file), reading
| arbitrary files from the filesystem. This issue has been fixed in
| version 1.2.31.


CVE-2026-40941[14]:
| Cacti is an open source performance and fault management framework.
| Versions 1.2.30 and prior have a package import signature validation
| bypass allows which allows self-signed packages. This issue has been
| fixed in version 1.2.31.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39893
    https://www.cve.org/CVERecord?id=CVE-2026-39893
[1] https://security-tracker.debian.org/tracker/CVE-2026-39894
    https://www.cve.org/CVERecord?id=CVE-2026-39894
[2] https://security-tracker.debian.org/tracker/CVE-2026-39897
    https://www.cve.org/CVERecord?id=CVE-2026-39897
[3] https://security-tracker.debian.org/tracker/CVE-2026-39899
    https://www.cve.org/CVERecord?id=CVE-2026-39899
[4] https://security-tracker.debian.org/tracker/CVE-2026-39900
    https://www.cve.org/CVERecord?id=CVE-2026-39900
[5] https://security-tracker.debian.org/tracker/CVE-2026-39938
    https://www.cve.org/CVERecord?id=CVE-2026-39938
[6] https://security-tracker.debian.org/tracker/CVE-2026-39948
    https://www.cve.org/CVERecord?id=CVE-2026-39948
[7] https://security-tracker.debian.org/tracker/CVE-2026-39951
    https://www.cve.org/CVERecord?id=CVE-2026-39951
[8] https://security-tracker.debian.org/tracker/CVE-2026-39955
    https://www.cve.org/CVERecord?id=CVE-2026-39955
[9] https://security-tracker.debian.org/tracker/CVE-2026-40079
    https://www.cve.org/CVERecord?id=CVE-2026-40079
[10] https://security-tracker.debian.org/tracker/CVE-2026-40080
    https://www.cve.org/CVERecord?id=CVE-2026-40080
[11] https://security-tracker.debian.org/tracker/CVE-2026-40082
    https://www.cve.org/CVERecord?id=CVE-2026-40082
[12] https://security-tracker.debian.org/tracker/CVE-2026-40083
    https://www.cve.org/CVERecord?id=CVE-2026-40083
[13] https://security-tracker.debian.org/tracker/CVE-2026-40084
    https://www.cve.org/CVERecord?id=CVE-2026-40084
[14] https://security-tracker.debian.org/tracker/CVE-2026-40941
    https://www.cve.org/CVERecord?id=CVE-2026-40941

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: cacti
Source-Version: 1.2.31+ds1-1
Done: Paul Gevers <[email protected]>

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <[email protected]> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 Jul 2026 14:57:56 +0200
Source: cacti
Architecture: source
Version: 1.2.31+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Commons <[email protected]>
Changed-By: Paul Gevers <[email protected]>
Closes: 1117523 1126452 1129524 1135250 1140813
Changes:
 cacti (1.2.31+ds1-1) unstable; urgency=medium
 .
   * New upstream version 1.2.31+ds1
     - CVE-2026-39893 CVE-2026-39894 CVE-2026-39897 CVE-2026-39899
       CVE-2026-39900 CVE-2026-39938 CVE-2026-39948 CVE-2026-39951
       CVE-2026-39955 CVE-2026-40079 CVE-2026-40080 CVE-2026-40082
       CVE-2026-40083 CVE-2026-40084 CVE-2026-40941 (Closes: 1140813)
     - Includes old upgrade bug fix (Closes: 1129524)
     - PHP 8.5 compatible (Closes: 1126452)
   * Use dh-phpcomposer during build
   * HTMLPurifier needs a directory it can write to
   * tests: split debian/upstream in two stanza and adapt for latest upstream
   * postinst: don't skip upstream install and upgrade tooling
   * Move ./resource and ./site/scripts to /var/lib/cacti (Closes: #1135250)
   * d/control: replace php-phpseclib with php-phpseclib3 as dependency
     (Closes: #1117523)
Checksums-Sha1:
 c807846b5f11ba411f06b228fdb8f69f034adba7 2455 cacti_1.2.31+ds1-1.dsc
 454779fe48491281743c88d3eee60a1edfed2679 24846798 
cacti_1.2.31+ds1.orig-docs-source.tar.gz
 5ac2a41174bca42034832b9432975f5d7ceb3105 11567581 cacti_1.2.31+ds1.orig.tar.gz
 520b6a1caa117991c4b28b5182339728dacc1a18 59352 cacti_1.2.31+ds1-1.debian.tar.xz
Checksums-Sha256:
 658f80b7231f451676d848c76bc3b3c855c429446b32da8b010ec842f8795ce5 2455 
cacti_1.2.31+ds1-1.dsc
 2148d1e02516a711730a59f1697813760e79246bc02e6286eac8b546e1c3b32b 24846798 
cacti_1.2.31+ds1.orig-docs-source.tar.gz
 ae45723d12c2cd1f2e04a28be1022e99f46cc83c4ac5ac01a1c9ee3802748a4e 11567581 
cacti_1.2.31+ds1.orig.tar.gz
 f8520a203abd9a36afa30f60f6c44473d7179907de91aec71ec109de1ab747d0 59352 
cacti_1.2.31+ds1-1.debian.tar.xz
Files:
 bb4829b4b3fd1e7840aa81ebb47226cc 2455 web optional cacti_1.2.31+ds1-1.dsc
 b40d413e95e1d6efaad147953b0eae72 24846798 web optional 
cacti_1.2.31+ds1.orig-docs-source.tar.gz
 e4474f898c1612f05b590bef4547f48c 11567581 web optional 
cacti_1.2.31+ds1.orig.tar.gz
 2541a5fe763ba98b476f749d9037500e 59352 web optional 
cacti_1.2.31+ds1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG5OTVaxMNcrfvXOcBqMo4AxqzhUFAmpSQSIACgkQBqMo4Axq
zhUMIg//VQT/XyIQUOtSy2qvieRsxOdj5L1XIBmFrl1ZTfSHTzVNvebrpyk0fT4v
iAprYFvJ/BLFwu6Tt4ZHE4H+tEKKmt2HpyjqrF7M6MnmCLlfmrJ/wFfETn9Sjp62
trSaENj8sQ/9r3BOmMsldOCSnxQZwx3N4dOP5XEy0CFEZoZ4X4G+So2qRWas8YW9
Kq0XYaKzrBfufJybprj98mvH9XxGOQoc/hRUCR3ABniEczYIKb0vxnMe10RAKsmE
zCtV9wq+tlrTxBivsIVki/dMtci2DCHCfnwOcoIkuH2SHtgEu4+0h1Ydn2v4Q398
kY+NAzQ0JZiLrDVt1KAnEFYI8ZmbP/3jr+QQpKBNuAqVjA/CgxvuiSXJuuigN24F
iZ1zokH3YOGFaW2TxbTLXrInOHXfajaJHZBUvtSMnGyWAr4Khg1j51PMRvlK0ptl
NdFSSmujgPKMJXRpgifyuH4//6/laJja3YqYB5Rz47tYW4a911nY9UjWSgLRD24G
KbUooGr6/YWrWixEFdWbuHrzdFwoVn52rIjLzADGDYBaELJ28XQY7kO+lGETZfAd
4xiYjpuhRtksFQKMh+FXm6sXd0uhY9SGVLtlC6UIsDOi4D21l0ya0kckKuYzEJpX
VAwfwnWrY95jNp8Xo1q3jrI5LvmIDK5Bea/dELavx4+OQKabbF4=
=fK79
-----END PGP SIGNATURE-----

Attachment: pgpOWhKql01kb.pgp
Description: PGP signature


--- End Message ---

Reply via email to