Cacti 1.0.0 has released recently fixing several bugs and at least 2 notable vulnerabilities. CVE-2014-4000: PHP Object Injection Vulnerabilities CVE-2016-2313: allows remote authenticated users who use web authentication to bypass intended access http://www.cacti.net/release_notes_1_0_0.php
Version 1.1.20 is in the tree and being stabilized in bug 626992.
This issue was resolved and addressed in GLSA 201711-10 at https://security.gentoo.org/glsa/201711-10 by GLSA coordinator Aaron Bauman (b-man).