CVE-2025-26520 – CVE-2025-26520 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-26520?

CVE-2025-26520 has a CVSS score of 7.6 (HIGH). CVE-2025-26520 is an SQL injection vulnerability in Cacti's host_templates.php file via the graph_template parameter. This allows attackers to execute arbitrary SQL commands on the database. All Cacti installations up to version 1.2.29 are affected.

📋 TL;DR

CVE-2025-26520 is an SQL injection vulnerability in Cacti's host_templates.php file via the graph_template parameter. This allows attackers to execute arbitrary SQL commands on the database. All Cacti installations up to version 1.2.29 are affected.

💻 Affected Systems

Products:

Cacti

Versions: All versions through 1.2.29

Operating Systems: All platforms running Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: This is an incomplete fix for CVE-2024-54146, affecting the same template function.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data theft, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, modification of monitoring configurations, and potential authentication bypass.

🟢

If Mitigated

Limited impact if proper input validation and database permissions are enforced.

🌐 Internet-Facing: HIGH - Web-accessible interface with SQL injection vulnerability.

🏢 Internal Only: MEDIUM - Still vulnerable to internal threats but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication to access host_templates.php, but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.30 or later

Vendor Advisory: https://github.com/Cacti/cacti/commit/7fa60c03ad4a69c701ac6b77c85a8927df7acd51

Restart Required: No

Instructions:

1. Backup your Cacti installation and database. 2. Download Cacti 1.2.30 or later from the official repository. 3. Replace affected files with patched versions. 4. Verify the fix by checking the commit hash includes 7fa60c03ad4a69c701ac6b77c85a8927df7acd51.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add additional input validation for graph_template parameter in host_templates.php

# Modify host_templates.php to sanitize graph_template input
# Ensure proper parameter binding in SQL queries

🧯 If You Can't Patch

Restrict access to host_templates.php to trusted IP addresses only
Implement web application firewall (WAF) rules to block SQL injection patterns

🔍 How to Verify

Check if Vulnerable:

Check Cacti version: if version <= 1.2.29, system is vulnerable. Review host_templates.php for proper input sanitization.

Check Version:

grep '\$version' /path/to/cacti/include/global.php | head -1

Verify Fix Applied:

Verify Cacti version is 1.2.30 or later. Check that the commit 7fa60c03ad4a69c701ac6b77c85a8927df7acd51 is applied.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by host_templates.php access
Unexpected graph_template parameter values in web logs

Network Indicators:

SQL error messages in HTTP responses
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/host_templates.php" AND (param="graph_template" AND value MATCHES "[';]|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2025-26520

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-89

EPSS Score: 0.12% exploit probability (31.4th percentile)

Published: February 12, 2025

Last Updated: March 3, 2025

🔗 References

https://github.com/Cacti/cacti/commit/7fa60c03ad4a69c701ac6b77c85a8927df7acd51 Patch
https://github.com/Cacti/cacti/pull/6096 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26520, you might also want to check these: