VulnerableCode Package Details - pkg:deb/debian/cacti@0.8.6f-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cww1-muhf-z7aj	Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.	CVE-2005-2148
VCID-qfjt-2g9r-nucs	config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks.	CVE-2005-2149
VCID-zjgu-8ns1-rbhr	SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.	CVE-2015-0916

Vulnerability

Summary

Aliases

VCID-cww1-muhf-z7aj

Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.

CVE-2005-2148

VCID-qfjt-2g9r-nucs

config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks.

CVE-2005-2149

VCID-zjgu-8ns1-rbhr

SQL injection vulnerability in graph.php in Cacti before 0.8.6f allows remote authenticated users to execute arbitrary SQL commands via the local_graph_id parameter, a different vulnerability than CVE-2007-6035.

CVE-2015-0916

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:12:00.687788+00:00	Debian Importer	Fixing	VCID-qfjt-2g9r-nucs	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:32:19.469396+00:00	Debian Importer	Fixing	VCID-cww1-muhf-z7aj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:51:24.914358+00:00	Debian Importer	Fixing	VCID-zjgu-8ns1-rbhr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:05:02.817838+00:00	Debian Importer	Fixing	VCID-qfjt-2g9r-nucs	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:35:12.078990+00:00	Debian Importer	Fixing	VCID-cww1-muhf-z7aj	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:05:37.665496+00:00	Debian Importer	Fixing	VCID-zjgu-8ns1-rbhr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-02T17:17:45.613916+00:00	Debian Importer	Fixing	VCID-qfjt-2g9r-nucs	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:15:22.212651+00:00	Debian Importer	Fixing	VCID-cww1-muhf-z7aj	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:12:54.163712+00:00	Debian Importer	Fixing	VCID-zjgu-8ns1-rbhr	https://security-tracker.debian.org/tracker/data/json	38.1.0