CVE-2025-45160: Cacti File Upload XSS Vulnerability

CVE-2025-45160 Overview

CVE-2025-45160 is an HTML injection vulnerability affecting the file upload functionality in Cacti versions 1.2.29 and earlier. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. This allows attackers to inject arbitrary HTML elements such as <h1>, <b>, and <svg> tags into the rendered page, potentially leading to phishing attacks, user interface manipulation, or further exploitation through malicious content injection.

Critical Impact
Authenticated attackers can inject arbitrary HTML content into Cacti's web interface, potentially enabling phishing attacks, UI defacement, or escalation to more severe client-side attacks.

Affected Products

Cacti <= 1.2.29

Discovery Timeline

2026-01-29 - CVE CVE-2025-45160 published to NVD
2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-45160

Vulnerability Analysis

This vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The core issue lies in the application's failure to sanitize user-controlled input—specifically, the filename parameter—before rendering it within an error message popup. When a user attempts to upload a file with an invalid format, the application generates an error response that directly includes the uploaded filename without encoding or escaping HTML special characters.

The vulnerability requires network access and low-privileged authentication to exploit. While no public exploits have been confirmed as actively used in the wild, a proof-of-concept demonstrating the injection technique is available through external references.

Root Cause

The root cause stems from improper input validation and output encoding in Cacti's file upload error handling mechanism. When the upload validation fails due to an invalid file format, the error message generator concatenates the user-supplied filename directly into the HTML response without applying proper sanitization functions such as htmlspecialchars() or equivalent encoding routines. This allows HTML metacharacters to be interpreted by the browser as markup rather than being displayed as literal text.

Attack Vector

The attack vector is network-based and requires a low-privileged authenticated user to access the file upload functionality. An attacker crafts a malicious filename containing HTML elements (e.g., malicious<svg onload=alert(1)>.txt) and submits it through the upload form. When the server rejects the file due to format validation failure, it reflects the unescaped filename into the error popup, causing the injected HTML to render in the victim's browser context.

The vulnerability does not directly enable cross-site scripting (XSS) execution of JavaScript in all cases, but SVG elements with event handlers or other HTML-based attack payloads could potentially be leveraged depending on the browser's content security policies and the specific injection context. For detailed technical analysis and proof-of-concept examples, refer to the GitHub Gist PoC.

Detection Methods for CVE-2025-45160

Indicators of Compromise

Unusual file upload requests containing HTML tags in the filename parameter
Error logs showing filenames with encoded HTML characters or suspicious patterns like <svg>, <script>, <iframe>, or <img> tags
Web server access logs showing repeated upload attempts with varying malformed filenames

Detection Strategies

Implement web application firewall (WAF) rules to detect HTML metacharacters in filename parameters during upload requests
Monitor application logs for file upload failures containing suspicious patterns in filename fields
Deploy intrusion detection signatures that flag HTTP requests with URL-encoded or raw HTML tags in upload-related parameters

Monitoring Recommendations

Enable verbose logging for file upload operations in Cacti and regularly review for anomalous filename patterns
Configure alerting on WAF or IDS rules that detect HTML injection attempts in POST request parameters
Audit user activity logs for authenticated users performing repeated file upload failures, which may indicate injection testing

How to Mitigate CVE-2025-45160

Immediate Actions Required

Upgrade Cacti to a patched version when available from the official Cacti repository
Implement input validation on the server side to reject filenames containing HTML special characters
Apply output encoding using functions like htmlspecialchars() with appropriate flags when reflecting any user input in error messages

Patch Information

As of the last update on 2026-01-29, organizations should monitor the Cacti GitHub repository for official security patches addressing this vulnerability. Ensure you are running the latest stable release and review release notes for security-related fixes.

Workarounds

Implement a web application firewall (WAF) rule to block or sanitize file upload requests containing HTML metacharacters in filename fields
Restrict file upload functionality to only trusted administrative users until a patch is applied
Apply custom input sanitization at the web server or reverse proxy level to strip HTML tags from incoming filename parameters

bash

# Example Apache mod_security rule to block HTML in filename parameters
SecRule ARGS:filename "@rx <[^>]+>" "id:1001,phase:2,deny,status:403,msg:'HTML injection attempt in filename blocked'"