From URL: Description spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter.
Version 1.1.20 is in the tree and being stabilized in bug 626992.
This issue was resolved and addressed in GLSA 201711-10 at https://security.gentoo.org/glsa/201711-10 by GLSA coordinator Aaron Bauman (b-man).