Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escapecommand() function. The escapecommand() function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built by rrdtoolfunctiongraph() is passed through this function and then to shellexec($fullcommandline). The risk is in _rrdexecute() where textformat values from graph templates (which may contain host variable substitutions) reach shellexec without adequate escaping. This issue has been addressed in version 1.2.31.