CVE-2025-45160

Published: Jan 29, 2026

Modified: Feb 2, 2026

PUBLISHED

Description

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE: Multiple third-parties including the maintainer have stated that they cannot reproduce this issue after 1.2.27.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/Cacti/cacti

https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-45160

Description

Affected Products

References