CVE-2025-45160 Overview
CVE-2025-45160 is an HTML injection vulnerability affecting the file upload functionality in Cacti versions 1.2.29 and earlier. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. This allows attackers to inject arbitrary HTML elements such as <h1>, <b>, and <svg> tags into the rendered page, potentially leading to phishing attacks, user interface manipulation, or further exploitation through malicious content injection.
Critical Impact
Authenticated attackers can inject arbitrary HTML content into Cacti's web interface, potentially enabling phishing attacks, UI defacement, or escalation to more severe client-side attacks.
Affected Products
- Cacti <= 1.2.29
Discovery Timeline
- 2026-01-29 - CVE CVE-2025-45160 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-45160
Vulnerability Analysis
This vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The core issue lies in the application's failure to sanitize user-controlled input—specifically, the filename parameter—before rendering it within an error message popup. When a user attempts to upload a file with an invalid format, the application generates an error response that directly includes the uploaded filename without encoding or escaping HTML special characters.
The vulnerability requires network access and low-privileged authentication to exploit. While no public exploits have been confirmed as actively used in the wild, a proof-of-concept demonstrating the injection technique is available through external references.
Root Cause
The root cause stems from improper input validation and output encoding in Cacti's file upload error handling mechanism. When the upload validation fails due to an invalid file format, the error message generator concatenates the user-supplied filename directly into the HTML response without applying proper sanitization functions such as htmlspecialchars() or equivalent encoding routines. This allows HTML metacharacters to be interpreted by the browser as markup rather than being displayed as literal text.
Attack Vector
The attack vector is network-based and requires a low-privileged authenticated user to access the file upload functionality. An attacker crafts a malicious filename containing HTML elements (e.g., malicious<svg onload=alert(1)>.txt) and submits it through the upload form. When the server rejects the file due to format validation failure, it reflects the unescaped filename into the error popup, causing the injected HTML to render in the victim's browser context.
The vulnerability does not directly enable cross-site scripting (XSS) execution of JavaScript in all cases, but SVG elements with event handlers or other HTML-based attack payloads could potentially be leveraged depending on the browser's content security policies and the specific injection context. For detailed technical analysis and proof-of-concept examples, refer to the GitHub Gist PoC.
Detection Methods for CVE-2025-45160
Indicators of Compromise
- Unusual file upload requests containing HTML tags in the filename parameter
- Error logs showing filenames with encoded HTML characters or suspicious patterns like <svg>, <script>, <iframe>, or <img> tags
- Web server access logs showing repeated upload attempts with varying malformed filenames
Detection Strategies
- Implement web application firewall (WAF) rules to detect HTML metacharacters in filename parameters during upload requests
- Monitor application logs for file upload failures containing suspicious patterns in filename fields
- Deploy intrusion detection signatures that flag HTTP requests with URL-encoded or raw HTML tags in upload-related parameters
Monitoring Recommendations
- Enable verbose logging for file upload operations in Cacti and regularly review for anomalous filename patterns
- Configure alerting on WAF or IDS rules that detect HTML injection attempts in POST request parameters
- Audit user activity logs for authenticated users performing repeated file upload failures, which may indicate injection testing
How to Mitigate CVE-2025-45160
Immediate Actions Required
- Upgrade Cacti to a patched version when available from the official Cacti repository
- Implement input validation on the server side to reject filenames containing HTML special characters
- Apply output encoding using functions like htmlspecialchars() with appropriate flags when reflecting any user input in error messages
Patch Information
As of the last update on 2026-01-29, organizations should monitor the Cacti GitHub repository for official security patches addressing this vulnerability. Ensure you are running the latest stable release and review release notes for security-related fixes.
Workarounds
- Implement a web application firewall (WAF) rule to block or sanitize file upload requests containing HTML metacharacters in filename fields
- Restrict file upload functionality to only trusted administrative users until a patch is applied
- Apply custom input sanitization at the web server or reverse proxy level to strip HTML tags from incoming filename parameters
# Example Apache mod_security rule to block HTML in filename parameters
SecRule ARGS:filename "@rx <[^>]+>" "id:1001,phase:2,deny,status:403,msg:'HTML injection attempt in filename blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
