A HTML injection vulnerability exists in the file upload...
Moderate severity
Unreviewed
Published
Jan 29, 2026
to the GitHub Advisory Database
•
Updated Jan 29, 2026
Description
Published by the National Vulnerability Database
Jan 29, 2026
Published to the GitHub Advisory Database
Jan 29, 2026
Last updated
Jan 29, 2026
A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g.,
, , ) into the rendered page.
References