CVE-2025-45160 in Cacti
Summary
by MITRE • 01/29/2026
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2025-45160 represents a critical HTML injection flaw within the file upload mechanism of Cacti monitoring software versions 1.2.29 and earlier. This security weakness specifically manifests when the application processes file uploads with invalid formats, creating a pathway for malicious actors to manipulate the user interface through reflected content. The core technical issue stems from insufficient input validation and output sanitization within the error handling routine that displays file names in popup dialogs. When an invalid file is submitted, the system reflects the original filename back to the user interface without proper HTML escaping or sanitization, creating an environment where attacker-controlled content can be rendered as executable markup.
The operational impact of this vulnerability extends beyond simple cosmetic HTML injection, as it provides attackers with a potential vector for more sophisticated attacks including cross-site scripting payloads that could compromise user sessions or redirect victims to malicious sites. The reflected nature of the vulnerability means that any HTML elements injected into the filename are directly rendered in the browser context, potentially allowing for script execution if the injected content includes JavaScript or other malicious markup elements. Security researchers have noted that this type of vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly sanitize user input before including it in web page content. The vulnerability demonstrates how seemingly minor input validation gaps can create significant security risks when combined with user interface elements that directly render untrusted data.
The remediation landscape for this vulnerability is complex due to the reported inability to reproduce the issue in versions 1.2.27 and later, suggesting that either the vulnerability was already patched in the maintenance releases or that specific environmental conditions are required to trigger the flaw. Organizations utilizing affected Cacti versions should prioritize immediate upgrade to patched releases to eliminate exposure to this HTML injection vector. The vulnerability also highlights the importance of proper input sanitization in all user-facing interfaces, particularly those handling file uploads or other user-provided data. Security teams should implement comprehensive testing procedures that include both automated scanning and manual verification of error handling routines to identify similar patterns in other applications. Additionally, this vulnerability demonstrates the critical need for maintaining current security patches and the potential risks associated with running outdated software versions, as the issue appears to have been addressed in subsequent releases. The ATT&CK framework classification would likely include techniques related to web application attacks and HTML injection, emphasizing the need for robust content security policies and proper input validation across all application components.
The technical analysis reveals that this vulnerability operates at the intersection of web application security principles and user interface design, where the failure to properly escape user input in error messages creates a persistent security risk. The specific nature of the flaw suggests that organizations should implement defensive measures including Content Security Policy headers, proper input validation routines, and regular security assessments of all user interaction points within their monitoring and management applications. The fact that multiple parties including the software maintainer cannot reproduce the issue indicates that the vulnerability may be environment-specific or may require precise conditions to manifest, but the potential for exploitation remains significant enough to warrant immediate attention from security teams.