A vulnerability, which was classified as critical , has been found in Cacti up to 1.2.30 . This affects an unknown function of the file package_import.php . The manipulation of the argument filename leads to path traversal. This vulnerability is referenced as CVE-2026-39899 . Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.