System	Score	Found at
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084
epss	0.88341	https://api.first.org/data/v1/epss?cve=CVE-2023-49084

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-49084
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39360
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39513
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49084
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49085
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49086
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49088
1059254		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059254

Data source	Metasploit
Description	This exploit module leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE. Authentication is needed and the account must have access to the vulnerable PHP script (`pollers.php`). This is granted by setting the `Sites/Devices/Data` permission in the `General Administration` section.
Note	Stability: - crash-safe Reliability: - repeatable-session SideEffects: - config-changes - ioc-in-logs
Ransomware campaign use	Unknown
Source publication date	Dec. 20, 2023
Platform	Linux,Unix,Windows
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb

There are no known vectors.

Percentile	0.99488
EPSS Score	0.88341
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T16:36:51.036023+00:00	Debian Oval Importer	Import	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.0.0