{"url":"http://public2.vulnerablecode.io/api/packages/447927?format=json","purl":"pkg:apk/alpine/cacti@1.2.8-r0?arch=armhf&distroversion=v3.14&reponame=community","type":"apk","namespace":"alpine","name":"cacti","version":"1.2.8-r0","qualifiers":{"arch":"armhf","distroversion":"v3.14","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.2.13-r0","latest_non_vulnerable_version":"1.2.17-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61959?format=json","vulnerability_id":"VCID-4hqy-g8eb-pbga","summary":"Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7106","reference_id":"","reference_type":"","scores":[{"value":"0.03534","scoring_system":"epss","scoring_elements":"0.87878","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03534","scoring_system":"epss","scoring_elements":"0.87899","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03534","scoring_system":"epss","scoring_elements":"0.87902","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03534","scoring_system":"epss","scoring_elements":"0.87903","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03534","scoring_system":"epss","scoring_elements":"0.87915","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7106"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7106","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7106"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949996","reference_id":"949996","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949996"},{"reference_url":"https://security.gentoo.org/glsa/202003-40","reference_id":"GLSA-202003-40","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-40"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/447927?format=json","purl":"pkg:apk/alpine/cacti@1.2.8-r0?arch=armhf&distroversion=v3.14&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cacti@1.2.8-r0%3Farch=armhf&distroversion=v3.14&reponame=community"}],"aliases":["CVE-2020-7106"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hqy-g8eb-pbga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61966?format=json","vulnerability_id":"VCID-8m57-p9d3-9ffc","summary":"graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8813","reference_id":"","reference_type":"","scores":[{"value":"0.93591","scoring_system":"epss","scoring_elements":"0.99843","published_at":"2026-06-08T12:55:00Z"},{"value":"0.93591","scoring_system":"epss","scoring_elements":"0.99844","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8813"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8813","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8813"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951832","reference_id":"951832","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951832"},{"reference_url":"https://github.com/mhaskar/CVE-2020-8813/blob/4877c2b2f378ce5937f56b259b69b02840514d4c/Cacti-postauth-rce.py","reference_id":"CVE-2020-8813","reference_type":"exploit","scores":[],"url":"https://github.com/mhaskar/CVE-2020-8813/blob/4877c2b2f378ce5937f56b259b69b02840514d4c/Cacti-postauth-rce.py"},{"reference_url":"https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py","reference_id":"CVE-2020-8813","reference_type":"exploit","scores":[],"url":"https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48144.py","reference_id":"CVE-2020-8813","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48144.py"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48145.py","reference_id":"CVE-2020-8813","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/48145.py"},{"reference_url":"https://security.gentoo.org/glsa/202004-16","reference_id":"GLSA-202004-16","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202004-16"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/447927?format=json","purl":"pkg:apk/alpine/cacti@1.2.8-r0?arch=armhf&distroversion=v3.14&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cacti@1.2.8-r0%3Farch=armhf&distroversion=v3.14&reponame=community"}],"aliases":["CVE-2020-8813"],"risk_score":1.6,"exploitability":"2.0","weighted_severity":"0.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8m57-p9d3-9ffc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61963?format=json","vulnerability_id":"VCID-ckzh-cucd-akdc","summary":"Cacti 1.2.8 allows Remote Code Execution (by privileged users) via shell metacharacters in the Performance Boost Debug Log field of poller_automation.php. OS commands are executed when a new poller cycle begins. The attacker must be authenticated, and must have access to modify the Performance Settings of the product.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7237","reference_id":"","reference_type":"","scores":[{"value":"0.42974","scoring_system":"epss","scoring_elements":"0.97557","published_at":"2026-06-04T12:55:00Z"},{"value":"0.42974","scoring_system":"epss","scoring_elements":"0.97561","published_at":"2026-06-05T12:55:00Z"},{"value":"0.42974","scoring_system":"epss","scoring_elements":"0.97563","published_at":"2026-06-08T12:55:00Z"},{"value":"0.42974","scoring_system":"epss","scoring_elements":"0.97562","published_at":"2026-06-07T12:55:00Z"},{"value":"0.42974","scoring_system":"epss","scoring_elements":"0.97565","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7237"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7237","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7237"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949997","reference_id":"949997","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949997"},{"reference_url":"https://security.gentoo.org/glsa/202003-40","reference_id":"GLSA-202003-40","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-40"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/447927?format=json","purl":"pkg:apk/alpine/cacti@1.2.8-r0?arch=armhf&distroversion=v3.14&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cacti@1.2.8-r0%3Farch=armhf&distroversion=v3.14&reponame=community"}],"aliases":["CVE-2020-7237"],"risk_score":0.2,"exploitability":"0.5","weighted_severity":"0.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ckzh-cucd-akdc"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cacti@1.2.8-r0%3Farch=armhf&distroversion=v3.14&reponame=community"}