CVE-2026-40084

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format file Parameter, causing arbitrary file read. This vulnerability occurs in two stages. In the first stage (stored injection), lib/html reports.php at line 283 stores $save['format file'] = $post['format file'] directly into the database without any validation. In the second stage (file read), lib/reports.php at line 667 concatenates CACTI PATH FORMATS . '/' . $format file, and line 670 then calls file($format file), reading arbitrary files from the filesystem. This issue has been fixed in version 1.2.31.