CVE-2005-10004

Publication date 30 August 2025

Last updated 16 September 2025

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

Why is this CVE high priority?

arbitrary command execution

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cacti	25.04 plucky	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2005-10004
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rb
https://web.archive.org/web/20050305034552/http://www.cacti.net/cactid_download.php
https://www.cacti.net/info/downloads
https://www.exploit-db.com/exploits/16881
https://www.exploit-db.com/exploits/9911
https://www.vulncheck.com/advisories/cacti-graph-view-rce