Is CVE-2026-39938 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-39938?

CVE-2026-39938 has a CVSS v3 severity of CRITICAL (9.8).

Back

CVE-2026-39938

Description

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.