vulnerability

Debian: CVE-2025-45160: cacti -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:S/C:P/I:P/A:N)	Feb 2, 2026	Feb 2, 2026	Feb 4, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Published

Feb 2, 2026

Added

Feb 2, 2026

Modified

Feb 4, 2026

Description

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

Solution

debian-upgrade-cacti

References

CVE-2025-45160
https://attackerkb.com/topics/CVE-2025-45160
CWE-80

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today