VulnerableCode Package Details - pkg:apk/alpine/cacti@1.2.26-r0?arch=armv7&distroversion=edge&reponame=community

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8max-2avj-hkdt	Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.	CVE-2023-51448
VCID-ay5a-nkmf-5yar	security update	CVE-2023-49086
VCID-d7db-n89n-qyd8	security update	CVE-2023-49084
VCID-h3qa-svy4-1fcr	security update	CVE-2023-49085
VCID-mwbm-aphc-akgu	Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.	CVE-2023-50250
VCID-xkkm-ss3p-1udc	SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.	CVE-2023-46490
VCID-zkmp-kgyq-tfeh	Rejected reason: DO NOT USE THIS CVE RECORD. Consult IDs: CVE-2023-50250. Reason: This record is a reservation duplicate of CVE-2023-50250. Notes: All CVE users should reference CVE-2023-50250 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.	CVE-2023-50569

Vulnerability

Summary

Aliases

VCID-8max-2avj-hkdt

Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.

CVE-2023-51448

VCID-ay5a-nkmf-5yar

security update

CVE-2023-49086

VCID-d7db-n89n-qyd8

security update

CVE-2023-49084

VCID-h3qa-svy4-1fcr

security update

CVE-2023-49085

VCID-mwbm-aphc-akgu

Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.

CVE-2023-50250

VCID-xkkm-ss3p-1udc

SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function.

CVE-2023-46490

VCID-zkmp-kgyq-tfeh

Rejected reason: DO NOT USE THIS CVE RECORD. Consult IDs: CVE-2023-50250. Reason: This record is a reservation duplicate of CVE-2023-50250. Notes: All CVE users should reference CVE-2023-50250 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

CVE-2023-50569

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-06T04:54:51.800643+00:00	Alpine Linux Importer	Fixing	VCID-zkmp-kgyq-tfeh	https://secdb.alpinelinux.org/edge/community.json	38.1.0
2026-04-03T17:54:11.999557+00:00	Alpine Linux Importer	Fixing	VCID-xkkm-ss3p-1udc	https://secdb.alpinelinux.org/edge/community.json	38.1.0
2026-04-01T19:30:38.160109+00:00	Alpine Linux Importer	Fixing	VCID-h3qa-svy4-1fcr	https://secdb.alpinelinux.org/edge/community.json	38.0.0
2026-04-01T19:25:49.382774+00:00	Alpine Linux Importer	Fixing	VCID-ay5a-nkmf-5yar	https://secdb.alpinelinux.org/edge/community.json	38.0.0
2026-04-01T19:16:19.662064+00:00	Alpine Linux Importer	Fixing	VCID-mwbm-aphc-akgu	https://secdb.alpinelinux.org/edge/community.json	38.0.0
2026-04-01T19:14:29.390482+00:00	Alpine Linux Importer	Fixing	VCID-8max-2avj-hkdt	https://secdb.alpinelinux.org/edge/community.json	38.0.0
2026-04-01T18:51:07.508955+00:00	Alpine Linux Importer	Fixing	VCID-d7db-n89n-qyd8	https://secdb.alpinelinux.org/edge/community.json	38.0.0