CVE-2005-10004

Publication date 1 September 2025

Last updated 1 September 2025

Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity.

Why is this CVE high priority?

arbitrary command execution

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cacti	25.04 plucky	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2005-10004
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/cacti_graphimage_exec.rb
https://web.archive.org/web/20050305034552/http://www.cacti.net/cactid_download.php
https://www.cacti.net/info/downloads
https://www.exploit-db.com/exploits/16881
https://www.exploit-db.com/exploits/9911
https://www.vulncheck.com/advisories/cacti-graph-view-rce