Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ses2-y1j2-vbbx
Vulnerability ID VCID-ses2-y1j2-vbbx
Aliases CVE-2020-14295
Summary Multiple vulnerabilities have been found in Cacti, the worst of which could result in the arbitrary execution of code.
Status Published
Exploitability 2.0
Weighted Severity 0.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
epss 0.81199 https://api.first.org/data/v1/epss?cve=CVE-2020-14295
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-14295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
963139 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963139
CVE-2020-14295 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49810.py
USN-USN-5214-1 https://usn.ubuntu.com/USN-5214-1/
Data source Exploit-DB
Date added April 29, 2021
Description Cacti 1.2.12 - 'filter' SQL Injection
Ransomware campaign use Unknown
Source publication date April 29, 2021
Exploit type webapps
Platform php
Source update date Oct. 29, 2021
Data source Metasploit
Description This module exploits a SQL injection vulnerability in Cacti 1.2.12 and before. An admin can exploit the filter variable within color.php to pull arbitrary values as well as conduct stacked queries. With stacked queries, the path_php_binary value is changed within the settings table to a payload, and an update is called to execute the payload. After calling the payload, the value is reset.
Note 
Stability:
  - crash-safe
SideEffects:
  - config-changes
  - ioc-in-logs
Reliability:
  - repeatable-session
Ransomware campaign use Unknown
Source publication date June 17, 2020
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/unix/http/cacti_filter_sqli_rce.rb
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.99156
EPSS Score 0.81199
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:14:13.651172+00:00 Gentoo Importer Import https://security.gentoo.org/glsa/202007-03 38.0.0