CVE-2026-40083

HIGH LAB

Cacti: SQL Injection in managers.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-40083. PoCs published by hakaioffsec.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-40083, an authenticated SQL injection vulnerability in Cacti <= 1.2.30. The exploit leverages time-based blind injection via the 'selected_graphs_array' parameter in managers.php to extract database contents, including user credentials and password hashes.

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assigns $selected_items by calling cacti_unserialize(stripslashes(gnrv('selected_graphs_array'))). The cacti_unserialize() function calls unserialize() with allowed_classes set to false, which prevents object injection but still allows arbitrary string arrays to be deserialized. Then, at lines 760 to 766, the deserialized array values are passed directly into db_execute('DELETE FROM snmpagent_managers WHERE id IN (' . implode(',', $selected_items) . ')'), where they are imploded into the SQL statement without any integer validation, resulting in SQL Injection when using SNMP agent management permissions. This issue has been fixed in version 1.2.31.

Exploits (1)

nomisec WORKING POC 2 stars
by hakaioffsec · poc
https://github.com/hakaioffsec/CVE-2026-40083

This repository contains a functional proof-of-concept exploit for CVE-2026-40083, an authenticated SQL injection vulnerability in Cacti <= 1.2.30. The exploit leverages time-based blind injection via the 'selected_graphs_array' parameter in managers.php to extract database contents, including user credentials and password hashes.

Classification
Working Poc 99%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Cacti <= 1.2.30
Auth required
Prerequisites: Authenticated access with SNMP Manager permissions · Target running vulnerable Cacti version (<= 1.2.30) · Network access to the Cacti web interface
mistral-large-3 · analyzed Jul 17, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 7.2
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull mysql:5.7

Details

CWE
CWE-89
Status published
Products (2)
cacti/cacti < 1.2.31
Cacti/cacti < 1.2.31
Published Jun 25, 2026
Tracked Since Jun 26, 2026