CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-40082

mediumCVSS 5.4covered by 1 sourcefirst seen 2026-06-25
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The login flow at auth_login.php:203-207 directly sets $_SESSION[SESS_USER_ID] without rotating the session ID. The session cookie configuration is otherwise good (httponly=true, samesite=Strict, secure=true for HTTPS at include/global.php:513-537), but these do not prevent session fixation via same-site vectors. This issue has been fixed in version 1.2.31.

⚡ Watch CVE-2026-40082

Get an email if CVE-2026-40082 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-40082

CVE.org record

Embed the live status

CVE-2026-40082 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-40082 status](https://www.csirts.com/badge/CVE-2026-40082)](https://www.csirts.com/cve/CVE-2026-40082)