cacti is vulnerable to SQL injection. Multiple SQL injection flaws were discovered in Cacti. An unauthenticated, or authenticated user with certain administrative privileges, could use these flaws to execute arbitrary SQL queries.
bugs.debian.org/cgi-bin/bugreport.cgi?bug=578909
lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
seclists.org/fulldisclosure/2010/Apr/272
secunia.com/advisories/39568
secunia.com/advisories/39572
secunia.com/advisories/41041
www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch
www.debian.org/security/2010/dsa-2039
www.exploit-db.com/sploits/Bonsai-SQL_Injection_in_Cacti.pdf
www.mandriva.com/security/advisories?name=MDVSA-2010:092
www.redhat.com/security/updates/classification/#important
www.securityfocus.com/bid/39653
www.vupen.com/english/advisories/2010/0986
www.vupen.com/english/advisories/2010/1107
www.vupen.com/english/advisories/2010/2132
access.redhat.com/errata/RHSA-2010:0635
rhn.redhat.com/errata/RHSA-2010-0635.html