Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/586385?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "type": "deb", "namespace": "debian", "name": "cacti", "version": "1.2.24+ds1-1+deb12u5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.2.30+ds1-1", "latest_non_vulnerable_version": "1.2.30+ds1-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96902?format=api", "vulnerability_id": "VCID-4e5y-1s19-r7g7", "summary": "Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66399", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.57639", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63876", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63923", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63909", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63885", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63842", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.63893", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00456", "scoring_system": "epss", "scoring_elements": "0.6391", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66399" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66399", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66399" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf", "reference_id": "GHSA-c7rr-2h93-7gjf", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T18:25:47Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586386?format=api", "purl": "pkg:deb/debian/cacti@1.2.30%2Bds1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.30%252Bds1-1" } ], "aliases": [ "CVE-2025-66399" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4e5y-1s19-r7g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51602?format=api", "vulnerability_id": "VCID-pxqa-nkv3-jqfs", "summary": "Multiple vulnerabilities have been discovered in Cacti, the worst of which can lead to privilege escalation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30534", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.97733", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.97735", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.9774", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.97744", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.97746", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.97749", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.48534", "scoring_system": "epss", "scoring_elements": "0.9775", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-30534" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30534", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30534" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/", "reference_id": "CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T19:08:26Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/" }, { "reference_url": "https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25", "reference_id": "cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T19:08:26Z/" } ], "url": "https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p", "reference_id": "GHSA-77rf-774j-6h3p", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T19:08:26Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p" }, { "reference_url": "https://security.gentoo.org/glsa/202412-02", "reference_id": "GLSA-202412-02", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202412-02" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/", "reference_id": "WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T19:08:26Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/", "reference_id": "WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T19:08:26Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586386?format=api", "purl": "pkg:deb/debian/cacti@1.2.30%2Bds1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.30%252Bds1-1" } ], "aliases": [ "CVE-2023-30534" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pxqa-nkv3-jqfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95769?format=api", "vulnerability_id": "VCID-xkkm-ss3p-1udc", "summary": "SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43075", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43124", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43071", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43098", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43037", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.4309", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43102", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46490" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46490", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46490" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059286", "reference_id": "1059286", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059286" }, { "reference_url": "https://gist.github.com/ISHGARD-2/a95632111138fcd7ccf7432ccb145b53", "reference_id": "a95632111138fcd7ccf7432ccb145b53", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T14:48:55Z/" } ], "url": "https://gist.github.com/ISHGARD-2/a95632111138fcd7ccf7432ccb145b53" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c", "reference_id": "GHSA-f4r3-53jr-654c", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T14:48:55Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586386?format=api", "purl": "pkg:deb/debian/cacti@1.2.30%2Bds1-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.30%252Bds1-1" } ], "aliases": [ "CVE-2023-46490" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xkkm-ss3p-1udc" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96094?format=api", "vulnerability_id": "VCID-3y7d-ujep-4ydm", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34340", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74739", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74732", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74747", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.7477", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74749", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74699", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.74726", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.747", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34340" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34340", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34340" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m", "reference_id": "GHSA-37x7-mfjv-mm7m", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:13:47Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:13:47Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-34340" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3y7d-ujep-4ydm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96069?format=api", "vulnerability_id": "VCID-44fx-4w2y-y3dy", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31458", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.90711", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.907", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.90705", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.90714", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.90715", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.9067", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.9068", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.06015", "scoring_system": "epss", "scoring_elements": "0.90689", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31458" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31458", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31458" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x", "reference_id": "GHSA-jrxg-8wh8-943x", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:19:29Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:19:29Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31458" ], "risk_score": 2.0, "exploitability": "0.5", "weighted_severity": "4.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-44fx-4w2y-y3dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96527?format=api", "vulnerability_id": "VCID-4twv-1yys-eban", "summary": "Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22604", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.98754", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.98749", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.9875", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.98753", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.98742", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.72211", "scoring_system": "epss", "scoring_elements": "0.98746", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-22604" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22604", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22604" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574", "reference_id": "1094574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574" }, { "reference_url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_id": "c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-27T18:46:22Z/" } ], "url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36", "reference_id": "GHSA-c5j8-jxj3-hh36", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-27T18:46:22Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2025-22604" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4twv-1yys-eban" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96066?format=api", "vulnerability_id": "VCID-6t6n-ws5n-wkay", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31443", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65708", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65702", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65667", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65719", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65731", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65752", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65737", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00493", "scoring_system": "epss", "scoring_elements": "0.65672", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31443" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31443", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31443" }, { "reference_url": "https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cf", "reference_id": "f946fa537d19678f938ddbd784a10e3290d275cf", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:21:18Z/" } ], "url": "https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cf" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3", "reference_id": "GHSA-rqc8-78cm-85j3", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:21:18Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:21:18Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31443" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6t6n-ws5n-wkay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96207?format=api", "vulnerability_id": "VCID-6ze5-dqdn-ykg3", "summary": "Cacti is an open source performance and fault management framework. Prior to 1.2.29, an administrator can change the `Poller Standard Error Log Path` parameter in either Installation Step 5 or in Configuration->Settings->Paths tab to a local file inside the server. Then simply going to Logs tab and selecting the name of the local file will show its content on the web UI. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45598", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19758", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.1981", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19532", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19611", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19664", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19668", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24993", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00087", "scoring_system": "epss", "scoring_elements": "0.24939", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45598" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45598", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45598" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574", "reference_id": "1094574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-45598" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ze5-dqdn-ykg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96561?format=api", "vulnerability_id": "VCID-7m68-seeq-tuae", "summary": "Cacti is an open source performance and fault management framework. Some of the data stored in automation_tree_rules.php is not thoroughly checked and is used to concatenate the SQL statement in build_rule_item_filter() function from lib/api_automation.php, resulting in SQL injection. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24368", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.2139", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21335", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29586", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.2964", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29678", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.2968", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.29636", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.34947", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24368" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24368", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24368" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574", "reference_id": "1094574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574" }, { "reference_url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_id": "c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:53:31Z/" } ], "url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c", "reference_id": "GHSA-f9c7-7rc3-574c", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:53:31Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-f9c7-7rc3-574c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2025-24368" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7m68-seeq-tuae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96001?format=api", "vulnerability_id": "VCID-85gc-u991-z3dw", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the \"Package Import\" feature, allows authenticated users having the \"Import Templates\" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25641", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99491", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99498", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99497", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99496", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99495", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.88383", "scoring_system": "epss", "scoring_elements": "0.99493", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25641" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25641", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25641" }, { "reference_url": "http://seclists.org/fulldisclosure/2024/May/6", "reference_id": "6", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/" } ], "url": "http://seclists.org/fulldisclosure/2024/May/6" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52225.txt", "reference_id": "CVE-2024-25641", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/52225.txt" }, { "reference_url": "https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210", "reference_id": "eff35b0ff26cc27c82d7880469ed6d5e3bef6210", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/" } ], "url": "https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88", "reference_id": "GHSA-7cmj-g5qc-pj88", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:38Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-25641" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-85gc-u991-z3dw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96189?format=api", "vulnerability_id": "VCID-be57-gxmc-vqd4", "summary": "Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43362", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90185", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90183", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90192", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90191", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90156", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90162", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.05453", "scoring_system": "epss", "scoring_elements": "0.90177", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.07763", "scoring_system": "epss", "scoring_elements": "0.91918", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43362" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43362", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43362" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c", "reference_id": "GHSA-wh9c-v56x-v77c", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:07:47Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-43362" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-be57-gxmc-vqd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95328?format=api", "vulnerability_id": "VCID-cqr3-wwhj-tyck", "summary": "In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20997", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21007", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21177", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21232", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.20945", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21026", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21085", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21103", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21059", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48538" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48538", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48538" }, { "reference_url": "https://github.com/Cacti/cacti/issues/5189", "reference_id": "5189", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T14:17:25Z/" } ], "url": "https://github.com/Cacti/cacti/issues/5189" }, { "reference_url": "https://docs.cacti.net/Settings-Auth-LDAP.md", "reference_id": "Settings-Auth-LDAP.md", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T14:17:25Z/" } ], "url": "https://docs.cacti.net/Settings-Auth-LDAP.md" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2022-48538" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cqr3-wwhj-tyck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96068?format=api", "vulnerability_id": "VCID-fhtp-y9a5-vqgj", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31445", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97293", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97298", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97297", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97296", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.9728", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97285", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.39471", "scoring_system": "epss", "scoring_elements": "0.97286", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31445" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31445", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31445" }, { "reference_url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717", "reference_id": "api_automation.php#L717", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:40Z/" } ], "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L717" }, { "reference_url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856", "reference_id": "api_automation.php#L856", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:40Z/" } ], "url": "https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/lib/api_automation.php#L856" }, { "reference_url": "https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886", "reference_id": "fd93c6e47651958b77c3bbe6a01fff695f81e886", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:40Z/" } ], "url": "https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc", "reference_id": "GHSA-vjph-r677-6pcc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:40Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:40Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31445" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fhtp-y9a5-vqgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96190?format=api", "vulnerability_id": "VCID-hj89-pnag-3fer", "summary": "Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98876", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98873", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98875", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98868", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98869", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.75133", "scoring_system": "epss", "scoring_elements": "0.98872", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43363" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43363", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43363" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4", "reference_id": "GHSA-gxq4-mv8h-6qj4", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-08T14:21:20Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-43363" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hj89-pnag-3fer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96070?format=api", "vulnerability_id": "VCID-jkca-shmj-mbbu", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31459", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82968", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82921", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82933", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.8293", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82955", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82962", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82977", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01844", "scoring_system": "epss", "scoring_elements": "0.82972", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31459" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31459", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31459" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv", "reference_id": "GHSA-cx8g-hvq8-p2rv", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:41Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r", "reference_id": "GHSA-gj3f-p326-gh8r", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:41Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp", "reference_id": "GHSA-pfh9-gwm6-86vp", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:41Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-17T04:00:41Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31459" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jkca-shmj-mbbu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96071?format=api", "vulnerability_id": "VCID-k7kv-za2s-dud5", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31460", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82247", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82211", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82207", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82234", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82241", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.8226", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82253", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01692", "scoring_system": "epss", "scoring_elements": "0.82191", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31460" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31460", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31460" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv", "reference_id": "GHSA-cx8g-hvq8-p2rv", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r", "reference_id": "GHSA-gj3f-p326-gh8r", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31460" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7kv-za2s-dud5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96560?format=api", "vulnerability_id": "VCID-khhn-9sja-sfgr", "summary": "Cacti is an open source performance and fault management framework. An authenticated Cacti user can abuse graph creation and graph template functionality to create arbitrary PHP scripts in the web root of the application, leading to remote code execution on the server. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24367", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.90486", "scoring_system": "epss", "scoring_elements": "0.99606", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.90486", "scoring_system": "epss", "scoring_elements": "0.99609", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.90486", "scoring_system": "epss", "scoring_elements": "0.99608", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24367" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24367", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24367" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574", "reference_id": "1094574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574" }, { "reference_url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_id": "c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:54:34Z/" } ], "url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq", "reference_id": "GHSA-fxrq-fr7h-9rqq", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:54:34Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2025-24367" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "7.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-khhn-9sja-sfgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11742?format=api", "vulnerability_id": "VCID-mebp-4rfu-vqcq", "summary": "DOMpurify has a nesting-based mXSS\nDOMpurify was vulnerable to nesting-based mXSS \n\nfixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and\n[merge 943](https://github.com/cure53/DOMPurify/pull/943)\n\nBackporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking\n\nPOC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71978", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71993", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.7201", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71986", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71974", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71935", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71959", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71939", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47875" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875" }, { "reference_url": "http://seclists.org/fulldisclosure/2025/Apr/14", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2025/Apr/14" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/cure53/DOMPurify", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify" }, { "reference_url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983", "reference_id": "1084983", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052", "reference_id": "2318052", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052" }, { "reference_url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf", "reference_id": "GHSA-gx9m-whjm-85jf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10236", "reference_id": "RHSA-2024:10236", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10236" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10988", "reference_id": "RHSA-2024:10988", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10988" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8683", "reference_id": "RHSA-2024:8683", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8683" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8981", "reference_id": "RHSA-2024:8981", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8981" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9473", "reference_id": "RHSA-2024:9473", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9473" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9629", "reference_id": "RHSA-2024:9629", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9629" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0329", "reference_id": "RHSA-2025:0329", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0329" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-47875", "GHSA-gx9m-whjm-85jf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mebp-4rfu-vqcq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95271?format=api", "vulnerability_id": "VCID-qnz1-w7bb-97ee", "summary": "Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POST request to graphs_new.php.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41444", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51912", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51812", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51838", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51799", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51854", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51851", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51903", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.51885", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.5187", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41444" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41444", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41444" }, { "reference_url": "https://gist.github.com/enferas/9079535112e4f4ff2c1d2ce1c099d4c2", "reference_id": "9079535112e4f4ff2c1d2ce1c099d4c2", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-03T14:41:35Z/" } ], "url": "https://gist.github.com/enferas/9079535112e4f4ff2c1d2ce1c099d4c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2022-41444" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qnz1-w7bb-97ee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96191?format=api", "vulnerability_id": "VCID-s8du-gzj2-gkc1", "summary": "Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43364", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90016", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90014", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90024", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90022", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.89988", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.89993", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90009", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.07542", "scoring_system": "epss", "scoring_elements": "0.91788", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43364" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43364", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43364" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5", "reference_id": "GHSA-fgc6-g8gc-wcg5", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:58:27Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-43364" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s8du-gzj2-gkc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96284?format=api", "vulnerability_id": "VCID-sx2t-uzae-2fh9", "summary": "Cacti is an open source performance and fault management framework. Cacti has a SQL injection vulnerability in the get_discovery_results function of automation_devices.php using the network parameter. This vulnerability is fixed in 1.2.29.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-54145", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00084", "scoring_system": "epss", "scoring_elements": "0.24603", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00084", "scoring_system": "epss", "scoring_elements": "0.24415", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00084", "scoring_system": "epss", "scoring_elements": "0.2464", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39587", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39616", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39631", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.3964", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0018", "scoring_system": "epss", "scoring_elements": "0.39604", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-54145" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54145", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54145" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574", "reference_id": "1094574", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094574" }, { "reference_url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_id": "c7e4ee798d263a3209ae6e7ba182c7b65284d8f0", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:46:54Z/" } ], "url": "https://github.com/Cacti/cacti/commit/c7e4ee798d263a3209ae6e7ba182c7b65284d8f0" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp", "reference_id": "GHSA-fh3x-69rr-qqpp", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-27T18:46:54Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-fh3x-69rr-qqpp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-54145" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sx2t-uzae-2fh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11772?format=api", "vulnerability_id": "VCID-vbs9-gben-9kgc", "summary": "DOMPurify vulnerable to tampering by prototype polution\ndompurify was vulnerable to prototype pollution\n\nFixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.8559", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85594", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85597", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85583", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85573", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85547", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85553", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02808", "scoring_system": "epss", "scoring_elements": "0.86074", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48910" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910" }, { "reference_url": "https://github.com/cure53/DOMPurify", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48910" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322949", "reference_id": "2322949", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322949" }, { "reference_url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr", "reference_id": "GHSA-p3vf-v8qc-cwcr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10186", "reference_id": "RHSA-2024:10186", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10186" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9583", "reference_id": "RHSA-2024:9583", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9583" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0079", "reference_id": "RHSA-2025:0079", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0079" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0082", "reference_id": "RHSA-2025:0082", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0082" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0654", "reference_id": "RHSA-2025:0654", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0654" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0875", "reference_id": "RHSA-2025:0875", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0875" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:18233", "reference_id": "RHSA-2025:18233", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:18233" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19003", "reference_id": "RHSA-2025:19003", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19003" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19017", "reference_id": "RHSA-2025:19017", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19017" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19047", "reference_id": "RHSA-2025:19047", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19047" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19306", "reference_id": "RHSA-2025:19306", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19306" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19314", "reference_id": "RHSA-2025:19314", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19314" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19895", "reference_id": "RHSA-2025:19895", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19895" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22284", "reference_id": "RHSA-2025:22284", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22284" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-48910", "GHSA-p3vf-v8qc-cwcr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vbs9-gben-9kgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96192?format=api", "vulnerability_id": "VCID-xdbp-7rtr-fyb7", "summary": "Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43365", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90016", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90024", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90022", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.89975", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.89988", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.89993", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90009", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.05293", "scoring_system": "epss", "scoring_elements": "0.90014", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43365" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43365", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43365" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr", "reference_id": "GHSA-49f2-hwx9-qffr", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:58:21Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-43365" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xdbp-7rtr-fyb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96067?format=api", "vulnerability_id": "VCID-y683-kz6e-afhv", "summary": "Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31444", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92787", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92769", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92778", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92783", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92788", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92767", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.09401", "scoring_system": "epss", "scoring_elements": "0.92772", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31444" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31444", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31444" }, { "reference_url": "https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87", "reference_id": "GHSA-p4ch-7hjw-6m87", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:22:10Z/" } ], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "reference_id": "RBEOAFKRARQHTDIYSL723XAFJ2Q6624X", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T17:22:10Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/" }, { "reference_url": "https://usn.ubuntu.com/6969-1/", "reference_id": "USN-6969-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6969-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2024-31444" ], "risk_score": 2.0, "exploitability": "0.5", "weighted_severity": "4.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y683-kz6e-afhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96697?format=api", "vulnerability_id": "VCID-zxu5-equ9-1kam", "summary": "A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-45160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01724", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01733", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02606", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02621", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02641", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0262", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02617", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-45160" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-45160", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-45160" }, { "reference_url": "https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32", "reference_id": "49d76897a5bb676d8c3f51425553cc32", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T17:51:08Z/" } ], "url": "https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32" }, { "reference_url": "https://github.com/Cacti/cacti", "reference_id": "cacti", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T17:51:08Z/" } ], "url": "https://github.com/Cacti/cacti" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/586385?format=api", "purl": "pkg:deb/debian/cacti@1.2.24%2Bds1-1%2Bdeb12u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4e5y-1s19-r7g7" }, { "vulnerability": "VCID-pxqa-nkv3-jqfs" }, { "vulnerability": "VCID-xkkm-ss3p-1udc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" } ], "aliases": [ "CVE-2025-45160" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zxu5-equ9-1kam" } ], "risk_score": "3.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/cacti@1.2.24%252Bds1-1%252Bdeb12u5" }