CVE-2026-40941

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

Cacti / cacti< 1.2.31 – < 1.2.31

References

VENDOR_ADVISORYhttps://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v
PATCHhttps://github.com/Cacti/cacti/pull/7054
PATCHhttps://github.com/Cacti/cacti/releases/tag/release%2F1.2.31