Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-k7kv-za2s-dud5
Vulnerability ID VCID-k7kv-za2s-dud5
Aliases CVE-2024-31460
Summary Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
System Score Found at
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
epss 0.01692 https://api.first.org/data/v1/epss?cve=CVE-2024-31460
cvssv3.1 6.5 https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
ssvc Track https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
cvssv3.1 6.5 https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
ssvc Track https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
cvssv3.1 6.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-31460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31460
GHSA-cx8g-hvq8-p2rv https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
GHSA-gj3f-p326-gh8r https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
RBEOAFKRARQHTDIYSL723XAFJ2Q6624X https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
USN-6969-1 https://usn.ubuntu.com/6969-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T17:23:51Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
Exploit Prediction Scoring System (EPSS)
Percentile 0.82191
EPSS Score 0.01692
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:37:25.861092+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0