Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zxu5-equ9-1kam
Vulnerability ID VCID-zxu5-equ9-1kam
Aliases CVE-2025-45160
Summary A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.
Status Published
Exploitability 0.5
Weighted Severity 4.9
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2025-45160
cvssv3.1 5.4 https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
ssvc Track https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
cvssv3.1 5.4 https://github.com/Cacti/cacti
ssvc Track https://github.com/Cacti/cacti
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-45160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-45160
49d76897a5bb676d8c3f51425553cc32 https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
cacti https://github.com/Cacti/cacti
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T17:51:08Z/ Found at https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/Cacti/cacti
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T17:51:08Z/ Found at https://github.com/Cacti/cacti
Exploit Prediction Scoring System (EPSS)
Percentile 0.01724
EPSS Score 0.00012
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:38:58.538724+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0