{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-40080","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-04-09T00:39:12.205Z","datePublished":"2026-06-25T22:29:51.784Z","dateUpdated":"2026-06-26T14:09:20.592Z"},"containers":{"cna":{"title":"Cacti: Open Redirect via HTTP_REFERER substring check in auth_login_redirect","problemTypes":[{"descriptions":[{"cweId":"CWE-601","lang":"en","description":"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/Cacti/cacti/security/advisories/GHSA-6gr7-53g8-vchq","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Cacti/cacti/security/advisories/GHSA-6gr7-53g8-vchq"},{"name":"https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31","tags":["x_refsource_MISC"],"url":"https://github.com/Cacti/cacti/releases/tag/release%2F1.2.31"}],"affected":[{"vendor":"Cacti","product":"cacti","versions":[{"version":"< 1.2.31","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-25T22:29:51.784Z"},"descriptions":[{"lang":"en","value":"Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly.  An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31."}],"source":{"advisory":"GHSA-6gr7-53g8-vchq","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/Cacti/cacti/security/advisories/GHSA-6gr7-53g8-vchq","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-26T14:08:58.081501Z","id":"CVE-2026-40080","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-26T14:09:20.592Z"}}]}}