Cacti prior to 1.2.18 allows remote malicious users to trigger XSS via template import for the midwinter theme.
cacti cacti