## Findings (validated by xAI Grok security review) ### 1. RLIKE SQL Injection (HIGH) `hmib_types.php:395-396`: DB-sourced values `$known['sysObjectID']` and `$known['sysDescrMatch']` are concatenated raw into RLIKE SQL clauses without db_qstr() escaping. ### 2. exec() command execution (HIGH) - `poller_graphs.php:316,319,448`: exec/shell_exec with constructed command strings - `snmp.php:139,252`: exec with SNMP path and hostname parameters (partially escaped with cacti_escapeshellarg) ### Recommended fixes 1. Wrap RLIKE values with db_qstr() 2. Audit all exec() paths for complete input escaping