VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-4e5y-1s19-r7g7

Essentials
Severities (10)
References (3)
Severity details (2)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-4e5y-1s19-r7g7
Aliases	CVE-2025-66399
Summary	Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29.
Status	Published
Exploitability	0.5
Weighted Severity	6.7
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

System	Score	Found at
epss	0.00353	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
epss	0.00456	https://api.first.org/data/v1/epss?cve=CVE-2025-66399
cvssv4	7.4	https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf
ssvc	Track*	https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-66399
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66399
GHSA-c7rr-2h93-7gjf		https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P Found at https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T18:25:47Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf

Exploit Prediction Scoring System (EPSS)

Percentile	0.57639
EPSS Score	0.00353
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T16:39:07.709198+00:00	Debian Oval Importer	Import	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.0.0