Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-39894— Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting

CVSS 2.9 · Low EPSS 0.10% · P1
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-39894

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtool_function_update() can corrupt RRDtool metric values. The rrdtool_function_update() function checks metric values with is_numeric() and concatenates them into the RRDtool update command via PHP string interpolation. PHP's string cast of floats is locale-sensitive: if LC_NUMERIC uses comma as decimal separator (e.g., de_DE), a value of 1.5 becomes "1,5". RRDtool expects . as decimal separator, causing metric data to shift into wrong columns or be silently dropped. No setlocale() reset is present in the update path. This causes a data integrity issue, but is not remotely exploitable; it requires server locale misconfiguration. The issue has been fixed in version 1.2.31.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用具有不一致性实现的函数
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Cacticacti < 1.2.31 -

II. Public POCs for CVE-2026-39894

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-39894

登录查看更多情报信息。

Other References for CVE-2026-39894 (3)

Same Patch Batch · Cacti · 2026-06-24 · 10 CVEs total

CVE-2026-399559.8 CRITICALCacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph
CVE-2026-398939.8 CRITICALCacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
CVE-2026-399389.8 CRITICALCacti: Unauthenticated RCE on Graph Image
CVE-2026-399517.6 HIGHCacti: Stored SQL Injection via graph_name_regexp in Reports feature
CVE-2026-39900Cacti: Reflected XSS via tab parameter in auth_profile.php JavaScript context
CVE-2026-39897Cacti has a Reflected XSS Vulnerability via html_auth_footer
CVE-2026-39948Cacti has SQL Injection via rfilter parameter in RLIKE clauses
CVE-2026-39899Cacti: Path Traversal via filename parameter in package_import.php
CVE-2026-40079Cacti: Command Injection via escape_command() no-op in RRDtool execution

IV. Related Vulnerabilities

V. Comments for CVE-2026-39894

No comments yet


Leave a comment