CVE-2025-45160

NameCVE-2025-45160
DescriptionA HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)bullseye1.2.16+ds1-2+deb11u3vulnerable
bullseye (security)1.2.16+ds1-2+deb11u5vulnerable
bookworm, bookworm (security)1.2.24+ds1-1+deb12u5vulnerable
forky, sid, trixie1.2.30+ds1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)(unfixed)

Notes

[trixie] - cacti <no-dsa> (Minor issue)
[bookworm] - cacti <no-dsa> (Minor issue)
https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
check if reported upstream
Search for package or bug name: Reporting problems