Fluid Attacks Database

Description

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g.,

, , ) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| =1.2.16+ds1-2+deb11u4 \|\| =1.2.16+ds1-2+deb11u5 \|\| =1.2.19+ds1-1 \|\| =1.2.19+ds1-2 \|\| =1.2.20+ds1-1 \|\| =1.2.20+ds1-2 \|\| =1.2.21+ds1-1 \|\| =1.2.22+ds1-1 \|\| =1.2.22+ds1-2 \|\| =1.2.22+ds1-3 \|\| =1.2.23+ds1-1 \|\| =1.2.23+ds1-2 \|\| =1.2.24+ds1-1 \|\| =1.2.25+ds1-1 \|\| =1.2.25+ds1-2 \|\| =1.2.26+ds1-1 \|\| =1.2.27+ds1-1 \|\| =1.2.27+ds1-2 \|\| =1.2.28+ds1-1 \|\| =1.2.28+ds1-2 \|\| =1.2.28+ds1-3 \|\| =1.2.28+ds1-4 \|\| =1.2.30+ds1-1 \|\| =1.2.30+ds1-2 \|\| =1.2.30+ds1-3	-
debian 13	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| >=0 <1.2.24+ds1-1+deb12u3	1.2.24+ds1-1+deb12u3
debian 14	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1

Aliases

1. CVE-2025-451602. NVD-2025-451603. OSV-DEBIAN-2025-451604. OSV-2025-451605. SECURITY-TRACKER-CVE-2025-45160

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.