In December 2022, the tool’s maintainers announced patches for CVE-2022-46169, a critical-severity command injection flaw that could allow unauthenticated attackers to execute code on the server running Cacti, if a specific data source was used.