TL;DR: CVE-2026-39951 (CVSS 7.6 HIGH, CWE-89 SQL Injection) lets a low-privileged authenticated user inject SQL through the graph_name_regexp parameter in the Cacti Reports feature. Cacti versions 1.2.30 and prior are vulnerable. Cacti 1.2.31 contains the fix. The Cacti GitHub Security Advisory GHSA-pf37-v86f-5xwp is the primary source plus the upstream commit 4c09efa is the patch reference.
What CVE-2026-39951 Actually Is
Per the Cacti GitHub Security Advisory (GHSA-pf37-v86f-5xwp) plus the NIST National Vulnerability Database primary source, CVE-2026-39951 is a stored SQL injection vulnerability in the Reports feature of Cacti. The vulnerable input is the graph_name_regexp parameter which the Reports feature uses to filter graphs by name when an authenticated user creates or modifies a report. The vulnerable code path passes the user-supplied regex string into a SQL query without sufficient escaping which allows an attacker to break out of the intended query context plus execute attacker-controlled SQL statements.
The NVD CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. Network attack vector reflects that the Cacti web interface is the entry point. Low complexity reflects that the SQL injection payload format is standard plus the injection point is reliably reachable. Low privileges required reflects that any authenticated user with permission to create or modify a report can reach the vulnerable code path. No user interaction reflects that the injection executes on the next render of the affected report. Scope unchanged. High confidentiality impact (the attacker reads the Cacti database) plus low integrity plus low availability impact.
Why This Is a Forensic Investigation Surface
Cacti is open-source enterprise-grade network plus server performance monitoring software with substantial footprint in Canadian plus US enterprise IT shops. Telecom operators, internet service providers, mid-market IT departments, university IT plus government IT departments all run Cacti for SNMP-based device monitoring plus performance graphing. Cacti instances concentrate three categories of sensitive data: SNMP community strings or SNMPv3 credentials for every monitored device, the network device inventory (device IPs, vendor identifiers, role labels) plus the time-series performance history (which doubles as a network topology map).
For an attacker who already has low-privileged authenticated access to a Cacti instance, CVE-2026-39951 provides the path to read the entire Cacti database. The database contains the SNMP credentials in a readable form, the device inventory plus the performance history. For incident response investigators arriving after the fact, the forensic surface includes the web server access logs (which capture the SQL injection request signature), the MySQL or MariaDB query logs (which capture the attacker-controlled SQL execution), the Cacti audit trail (which captures the user identity plus the timestamp of report modifications) plus the time-series database snapshots (which may show anomalous query patterns).
Detection: What Investigators Should Look For
The forensic question is whether the Cacti instance was exposed during the vulnerable window plus whether any low-privileged account showed activity consistent with exploitation. Web server access logs capture the HTTP requests to the Reports feature endpoints. Anomalous patterns include large request payloads in the graph_name_regexp parameter, requests containing SQL keywords (SELECT, UNION, INSERT, UPDATE) in the payload plus requests originating from network addresses outside the documented Cacti admin user pool.
MySQL or MariaDB query logs (when enabled at the right verbosity) capture the SQL statements executed against the Cacti database. Anomalous patterns include SELECT statements against the cacti.user_auth table outside normal authentication flow, SELECT statements against tables containing SNMP credential data plus INSERT or UPDATE statements modifying user_auth rows. Cacti audit trail captures the user identity plus timestamp for report creation plus modification events. Correlating the audit trail against access log timestamps narrows the investigation to specific user sessions.
For investigators triaging a Cacti server suspected of compromise the Sherlock Disk Imager handles the forensic acquisition step. The server disk image preserves the web access logs, MySQL data directory, Cacti audit trail plus any operator-installed monitoring agent state. The Sherlock methodology applies the standard acquisition workflow regardless of whether the Cacti server runs on Linux (the most common deployment) or on Windows (a less common but real deployment).
The Cacti Server Compromise Lateral Movement Risk
A compromised Cacti instance is not just a data loss event. It is a pivot point. The attacker who reads the Cacti database has the SNMP community strings or SNMPv3 credentials for every monitored device. For most enterprise deployments the monitored device set includes routers, switches, firewalls, server hardware management controllers (IPMI, iDRAC, iLO) plus often endpoint device management consoles. SNMP write community access on a router or switch is sufficient to modify routing tables, ACLs, VLAN assignments or device configuration. SNMP write community access on hardware management controllers reaches the management plane of the server hardware.
The forensic implication is that a Cacti compromise investigation needs to expand quickly into a broader network reconnaissance investigation. The post-compromise pivot footprint is what the attacker did with the credentials they extracted, not just what they did inside the Cacti web interface. The investigation timeline needs to cover the period from initial Cacti access through the credential extraction plus the subsequent lateral movement. The Sherlock incident response methodology handles this pivot analysis as part of the standard enterprise compromise scope.
What Sherlock Customers Should Do
If your environment runs Cacti for network monitoring, apply the Cacti 1.2.31 patch through the normal change management process. If your environment has had any authenticated low-privileged Cacti user activity in the last 60 days that you cannot fully attribute to legitimate users, consider opening a formal investigation. The Cacti web access logs plus MySQL query logs are the primary triage artifacts. Hash plus preserve them before any analysis or rotation.
For organizations operating Cacti at scale (multiple instances across data centers or geographic regions) the operational discipline is to rotate SNMP community strings on every monitored device immediately upon patch application. The patch closes the SQL injection vector but it does not invalidate credentials that may have been extracted during the vulnerable window. Credential rotation across the monitored device fleet is the second-order remediation step that many organizations miss.
The Sherlock Disk Imager plus the broader Sherlock toolkit are available for organizations that need internal forensic acquisition capacity. For organizations needing external incident response support the Sherlock engagement page documents the enterprise IR scope including network monitoring server compromise plus credential extraction lateral movement analysis.