SQL injection vulnerability in the hostnewgraphssave function in graphsnew.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted serialized data in the selectedgraphsarray parameter in a save action.