Software-update: Cacti 1.2.31

Cacti is een volledige frontend voor RRDtool, een applicatie waarmee je op gezette tijden informatie kan binnenhalen van je netwerk en aangesloten apparatuur. Cacti kan deze binnengehaalde informatie overzichtelijk weergeven in verschillende grafieken waardoor je in één oogopslag de prestaties over een bepaalde periode kan zien. Het vereist een omgeving met MySQL, PHP, RRDTool, net-snmp en een webserver met PHP-ondersteuning. Voor meer informatie verwijzen we jullie door naar deze pagina. In versie 1.2.31 zijn de volgende veranderingen en verbeteringen doorgevoerd:

Security:

• GHSA-23g4-vf2j-94w4 - CVE-2026-39894 RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
• GHSA-273r-qr93-wgcp - CVE-2026-40082 Session Fixation via missing session_regenerate_id() after login
• GHSA-274c-97hj-pv2v - CVE-2026-40941 Package Import Signature Validation Bypass allows self-signed packages
• GHSA-2j98-xfjq-gw39 - CVE-2026-39897 Reflected XSS in html_auth_footer error message output
• GHSA-34rf-frc3-v48r - CVE-2026-39900 Reflected XSS via tab parameter in auth_profile.php JavaScript context
• GHSA-37jj-rx8x-4wf2 - CVE-2026-46531 SQL Injection in automation_tree_rules.php
• GHSA-3vj5-jqr9-q8hg - CVE-2026-44481 Pre-auth Open Redirect via link.php Referer header
• GHSA-6233-v5hc-6gvf - CVE-2026-39952 Stored XSS in Report Tree expansion titles
• GHSA-69gg-mjfm-jjpc - CVE-2026-39893 Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
• GHSA-6RVG-2vm8-5wrf - CVE-2026-22802 Authentication Bypass leads to information disclosure
• GHSA-6gr7-53g8-vchq - CVE-2026-40080 Open Redirect via HTTP_REFERER substring check in auth_login_redirect
• GHSA-84q3-92xc-c3pf - CVE-2026-40078 Backend ORDER BY SQL Injection
• GHSA-8522-5p3m-754c - CVE-2026-39949 Authenticated Remote Code Execution via Host Variable Injection
• GHSA-8p2f-6jvx-j75j - CVE-2026-40081 Reports IDOR allows any authenticated user to modify other users' reports (CWE-639)
• GHSA-9jqv-4cpm-vm2c - CVE-2026-39948 SQL Injection via rfilter parameter in RLIKE clauses
• GHSA-c4qp-j9r9-fq24 - CVE-2026-39902 Authenticated RCE on Data Input
• GHSA-fwh3-8c8r-378r - CVE-2026-39898 Reflected XSS via rfilter parameter in aggregate_graphs.php input value
• GHSA-g37j-39f4-6r4j - CVE-2026-41884 Arbitrary File Read via Reports format_file path traversal
• GHSA-gp82-qhrg-crv7 - CVE-2026-39955 Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php
• GHSA-hr82-h9vr-587w - CVE-2026-39896 TOCTOU race in auth_process_lockout allows brute-force lockout bypass
• GHSA-j696-m433-87qq - CVE-2026-39950 Arbitrary PHP file write via Plugin Archive extraction leading to RCE
• GHSA-j9jv-6xjq-9hhj - CVE-2026-40083 SQL Injection in managers.php via uncast array values in IN clauses
• GHSA-m7v2-f3xw-3qh7 - User Enumeration via Error Messages
• GHSA-mjvw-mhj5-9jcj - CVE-2026-40084 Arbitrary File Read via path traversal in Report format_file parameter
• GHSA-pf37-v86f-5xwp - CVE-2026-39951 Stored SQL Injection via graph_name_regexp in Reports feature
• GHSA-pr9x-34w8-4mf7 - CVE-2026-39899 Path traversal via filename parameter in package_import.php
• GHSA-rm7p-qcqm-x5m6 - CVE-2026-39938 Unauthenticated LFI via graph_theme and rrdtool IPC serialization hardening
• GHSA-vp35-4h28-r883 - CVE-2026-39939 Path traversal in Package Import file write allows arbitrary file creation in webroot
• GHSA-w47c-53f9-w47g - CVE-2026-39947 RRDtool IPC pipe poisoning via is_numeric newline bypass in rrdtool_function_update
• GHSA-wpjq-m269-mghj - CVE-2026-39895 Second-order RCE via unescaped log path in exec_background shell redirection
• GHSA-xq98-376r-hv9j - CVE-2026-40079 Command Injection via escape_command() no-op in RRDtool execution
• CVE-2026-40194, CVE-2026-32935 in phpseclib - This is breaking change for RRDProxy
• CVE-2026-1513 billboard.js before 3.18.0 Improper Input Sanitization Allows Remote JavaScript Execution

Fixed:

• 6168 - When purging RRD files, paths are not correctly handled
• 6202 - When using automation, devices may not be added as expected
• 6204 - Attempting to match a field in automation may cause unexpected errors
• 6210 - Ensure column names are escaped to prevent reserved word issues
• 6240 - Improve sort order for incorrect RRA's
• 6249 - Unable to send Email to users without a domain name
• 6251 - When viewing a graph, do not produce unnecessary errors if graph has been removed
• 6253 - When i18n formatting numbers, assume null means 0 by xmacan
• 6257 - When data sources are removed, ensure only RRD files are removed by xmacan
• 6262 - When the database connection drops during query, retry to ensure success
• 6270 - Incorrect escaping may prevent drop downs working as intended
• 6271 - When validation errors occur, provide more information to help diagnosis
• 6283 - When calculating total pages, ensure math errors do not occur
• 6292 - When validating null request variables, fatal errors may occur
• 6294 - Automation may produce unexpected warnings when detecting the OS
• 6296 - Process timeouts may not end processes as expected
• 6297 - Improve support for Secure SMTP
• 6299 - Improve email address handling to support UTF8
• 6313 - When editing multiple devices, unexpected errors may be recorded
• 6314 - When editing an Aggregation Graph, total count may not reflect number of items correctly
• 6315 - When duplicating a Data Input Method, unexpected errors may occur
• 6326 - Improve SNMP v3 support for Cisco devices
• 6327 - Implement Autocomplete standards for Login and Change Password
• 6329 - When using LDAP, checking a user's groups may cause unexpected errors
• 6331 - When upgrading from pre-1.0.5, unexpected errors may occur by YATV
• 6334 - When creating Aggregate graphs, unable to hide HRULE and COMMENT based items
• 6335 - Email addresses with leading or trailing spaces can cause issues
• 6441 - Spikekill uses the wrong option for retention periods by 3432
• 6444 - When a Data Input's Title is applied, unexpected errors and values may be seen
• 6490 - When using Clear All on Selective Debug, first item is reselected
• 6507 - Importing packages may not work as expected by xmacan
• 6508 - When exporting graphs, data issues may lead to unexpected errors by xmacan
• 6516 - When modifying Graph Automation Rules, unexpected errors may be logged
• 6518 - Improve security of CSRF Secret by SMark-Black
• 6519 - When using Real Time graphing, unexpected errors may appear if graph is removed
• 6546 - Restore some missing SNMP Script Server configurations
• 6551 - Improve support for FreeBSD when Auditing Databases by xmacan
• 6573 - Create new device_change_javascript hook for THOLD plugin by xmacan
• 6598 - Improve PHP 8 support by TheWitness
• 6600 - When replicating plugins, unexpected errors may appear due to missing tables
• 6605 - Prevent Row Data Loss When Rebuilding RRD Files
• 6606 - When using SpikeKill, actions would not always lead to expected results
• 6706 - Some hosts may show as down incorrectly by xmacan
• 6945 - Improve PHP 8.5 support
• 7121 - When using data input methods, unexpected log entries may appear
• 7133 - When attempting to push out items, offline data sources can have unexpected results
• 7135 - Fix issue with locally scoped OID/Script path not being correctly cleared
• 7199 - CSV Color Import fails
• 7202 - Removed plugins may leave orphan entries in plugin tables

Changes:

• 6523 - When disabling users, ensure that their authentication cookies and sessions cleared
• 6524 - When changing your password, log off from all sessions
• 6534 - Improve Cacti Session ID security
• 6607 - Implement session security on Password change
• 6681 - Add Dell iDRAC template by xmacan
• Update DOMPurify to 3.4.7
• Update PHPMailer to 6.10 to support SMTPUTF8
• Update phpseclib for the Service Check plugin
• Update jstree to 3.3.17 for CSP Level 3 compliance