{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40941", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-06-25T23:01:30.937Z", "dateUpdated": "2026-06-26T14:57:48.522Z"}, "containers": {"cna": {"title": "Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v"}, {"name": "https://github.com/Cacti/cacti/pull/7054", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/pull/7054"}, {"name": "https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31"}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"version": "< 1.2.31", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-25T23:01:30.937Z"}, "descriptions": [{"lang": "en", "value": "Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31."}], "source": {"advisory": "GHSA-274c-97hj-pv2v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T14:56:48.504785Z", "id": "CVE-2026-40941", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T14:57:48.522Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40941", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T14:56:48.504785Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T14:57:36.739Z"}}], "cna": {"title": "Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages", "source": {"advisory": "GHSA-274c-97hj-pv2v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"status": "affected", "version": "< 1.2.31"}]}], "references": [{"url": "https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v", "name": "https://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Cacti/cacti/pull/7054", "name": "https://github.com/Cacti/cacti/pull/7054", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31", "name": "https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-25T23:01:30.937Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40941", "state": "PUBLISHED", "dateUpdated": "2026-06-26T14:57:48.522Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-25T23:01:30.937Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "cacti: Cacti: Package Import Signature Validation Bypass Allows Self-Signed Packages", "id": "2493265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493265"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-347", "details": ["A flaw was found in Cacti, an open-source performance and fault management framework. This vulnerability allows a remote attacker to bypass the package import signature validation. By exploiting this flaw, an attacker can import self-signed packages, potentially leading to the execution of unauthorized code or compromise of system integrity."], "name": "CVE-2026-40941", "public_date": "2026-06-25T23:01:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40941\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40941\nhttps://github.com/Cacti/cacti/pull/7054\nhttps://github.com/Cacti/cacti/releases/tag/release%2F1.2.31\nhttps://github.com/Cacti/cacti/security/advisories/GHSA-274c-97hj-pv2v"], "statement": "This is an Important flaw in Cacti where a package import signature validation bypass allows the installation of self-signed packages. This could lead to the execution of arbitrary code with the privileges of the Cacti application, potentially compromising the integrity and availability of the system. Exploitation requires an attacker to have privileges to import packages.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.31)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cacti", "source": "cna", "vendor": "Cacti"}, "product": "cacti", "vendor": "cacti"}], "created": "2026-06-26T00:30:17.569070+00:00", "updated": "2026-06-26T03:30:06.920045+00:00", "vendors": ["cacti", "cacti$PRODUCT$cacti"]}