CVE-2026-39949

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31

Description An authenticated remote code execution issue exists where users with graph or device management permissions can execute arbitrary commands on the underlying operating system. The problem stems from the variable substitution engine, which allows graph templates to reference host metadata using variables such as |host description|, |host hostname|, and |host notes|. During graph generation, these variables are expanded and passed as arguments to RRDtool. Because user-controlled host metadata is substituted without sufficient validation or sanitization, malicious input injected into a host field can trigger code execution when a graph is rendered.

Recommendations Update to version 1.2.31 or later.