This update for cacti fixes the following issues:

- Update to version 1.2.30+git306.82d5aef5:
  * add a collapse icon (#7047)
  * security: consolidated defense-in-depth hardening (1.2.x) (#7039)
  * fix(security): harden boost cache, deserialization, GET_LOCK, and process management (#7021)
  * CVE-2026-0540 - Update DOMPurify to 3.3.3.  phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack (#7022)
  * fix(security): harden exec_background, log path redirection, and CLI argument handling (#7016)
  * fix: IPv6 support hardening for SNMP sessions, ping validation, and binary transport (#7014)
  * fix(security): enforce strict metric serialization at RRDtool IPC boundary (#7012)
  * fix(security): harden rrd.php, database.php, and html_utility.php (1.2.x) (#7002)
  * fix(security): harden auth lockout, CSPRNG fallback, error escaping, and redirect (1.2.x) (#7000)
  * fix(security): harden core execution boundaries and XML processing (#7010)
  * fix(security): harden utility.php PHP binary validation, SQL injection, PRNG, and XSS (#7006)
  * fix(security): escape html_filter form attributes and JS context (1.2.x) (#6995)
  * fix: prevent empty CDEF RPN expressions in aggregate graphs (1.2.x) (#6985)
  * fix: aggregate 95th percentile uses SUM instead of MAX for SIMILAR (1.2.x) (#6984)
  * fix: CF fallback selection overwritten by cf_reference (1.2.x) (#6982)
  * fix: remove unconditional overwrite of coerced multi-DS values (1.2.x) (#6981)
  * fix: cacti_snmp_validate_oid accepts non-numeric OIDs (1.2.x) (#6980)
  * fix(scripts): return 'U' on error in ss_webseer, ss_gexport, query_host_cpu (1.2.x) (#6983)
  * fix: Fixing additional review issues (#6979)
  * fix: Fixing issues with dns call (#6977)
  * fix: Fixing wrong variable use (#6976)
  * fix(security): cast effective_user to int and validate OID format in remote_agent (1.2.x) (#6969)
  * fix(security): escape rrdtool tune arguments to prevent command injection (#6967)
  * fix(security): forward-verify PTR result in remote_client_authorized() (#6968)
  * fix(security): validate graph_theme with basename() to prevent LFI (#6966)
  * fix(security): escape error message output in auth_login.php (#6958)
  * fix: Simplify redirect handling in Cacti and Fix Multi-Sort (#6955)
  * fix(security): use strict comparisons in auth and restrict unserialize (#6960)
  * fix: correct spikekill user/default inversion and add RRD file check (1.2.x) (#6962)
  * fix(security): parameterize SQL, add column allow-list, and type-safe counter math (#6961)
  * fix(hardening): replace raw $_REQUEST with input wrapper functions (#6959)
  * fix graph debug (#6956)
  * fix: return text error in graph debug mode when RRD file missing (1.2.x) (#6924)
  * security: fix XSS in JavaScript contexts across UI pages (1.2.x) (#6929)
  * fix: correct colourBrightness calculation for negative and integer percentages (1.2.x) (#6928)
  * Fix: Removing backtick operator from code (#6922)
  * fix: remove noisy RRD file-not-found log message (#6918)
  * security: remaining hardening backports to 1.2.x (#6917)
  * Fix: Issuesing changing poller and audit plugin (#6915)
  * Fix: Add missing functiosn rrdtool_file_exists (#6914)
  * security: harden shell command execution against injection (1.2.x backport) (#6902)
  * security: fix SSRF and SSL verification in help.php (1.2.x backport) (#6906)
  * fix: backport spikekill and realtime graph fixes to 1.2.x (#6909)
  * security: fix XSS and open redirect in auth and UI pages (1.2.x backport) (#6910)
  * security: parameterize SQL in sequence functions and data_queries.php (1.2.x backport) (#6911)
  * security: fix SSRF, command injection, and XSS in core functions (1.2.x) (#6913)
  * security: support array arguments in exec_background and __rrd_execute (1.2.x backport) (#6912)
  * Fixing managers actions not taking action (#6901)
  * security: harden SQL query construction against injection (1.2.x backport) (#6897)
  * security: fix XSS, path traversal, open redirect, and IDOR (1.2.x backport) (#6899)
  * security: fix unsafe deserialization in managers.php (1.2.x backport) (#6898)
  * Update translation files
  * Translated using Weblate (Swedish)
  * Update translation files
  * Translated using Weblate (Swedish)
  * Update translation files
  * Translated using Weblate (Swedish)
  * fix(1.2.x): correct codespell-detected spelling errors in PHP source files (#6808)
  * qa: Removing php7.4 and php8.0 from our validation matrix due recent plugin changes (#6817)
  * Update translation files
  * Translated using Weblate (Swedish)
  * [1.2.x] fix: exec_with_timeout operator precedence, child kill, and stderr handling (#6732)
  * fix(auth): add column-name whitelist to is_view_allowed() (#6708)
  * fix: parameterize SQL in cli/add_device.php (#6710)
  * fix: remove PHP_EOL from force_https redirect header (#6711)
  * fix: three one-line typos in spikekill subsystem (#6712)
  * fix: add output_format to ifName and ifDescr in interface.xml (#6713)
  * fix: strict comparison in replicate_table_to_poller column exclusion (#6714)
  * fix: escape values in array_to_sql_or() to prevent SQL injection (#6709)
  * fix: correct JOIN condition in is_view_allowed() group membership query (#6734)
  * fix false down status in gui  (#6706)
  * add dell idrac template (#6681)
  * Backport check_all_pages.sh to 1.2.x (#6678)

- Update to version 1.2.30+git233.9b67d5e98:
  * remove wrong styles (#6654)
  * Fix paper-plane theme (#6640)

- Update to latest release/1.2.30+git231.bca15e70c:
 - Updates since 1.2.30:
  * security#GHSA-6RVG-2VM8-5WRF: CVE-2026-22802 Authentication Bypass leads to information disclosure
  * security: CVE-2026-1513 billboard.js before 3.18.0 Improper Input Sanitization Allows Remote JavaScript Execution
  * issue#6168: When purging RRD files, paths are not correctly handled
  * issue#6202: When using automation, devices may not be added as expected
  * issue#6204: Attempting to match a field in automation may cause unexpected errors
  * issue#6210: Ensure column names are escaped to prevent reserved word issues
  * issue#6240: Improve sort order for incorrect RRA's
  * issue#6249: Unable to send Email to users without a domain name
  * issue#6251: When viewing a graph, do not produce unnecessary errors if graph has been removed
  * issue#6253: When i18n formatting numbers, assume null means 0 by xmacan
  * issue#6257: When data sources are removed, ensure only RRD files are removed by xmacan
  * issue#6262: When the database connection drops during query, retry to ensure success
  * issue#6270: Incorrect escaping may prevent drop downs working as intended
  * issue#6271: When validation errors occur, provide more information to help diagnosis
  * issue#6283: When calculating total pages, ensure math errors do not occur
  * issue#6292: When validating null request variables, fatal errors may occur
  * issue#6294: Automation may produce unexpected warnings when detecting the OS
  * issue#6296: Process timeouts may not end processes as expected
  * issue#6297: Improve support for Secure SMTP
  * issue#6299: Improve email address handling to support UTF8
  * issue#6313: When editing multiple devices, unexpected errors may be recorded
  * issue#6314: When editing an Aggregation Graph, total count may not reflect number of items correctly
  * issue#6315: When duplicating a Data Input Method, unexpected errors may occur
  * issue#6326: Improve SNMP v3 support for Cisco devices
  * issue#6327: Implement Autocomplete standards for Login and Change Password
  * issue#6329: When using LDAP, checking a user's groups may cause unexpected errors
  * issue#6331: When upgrading from pre-1.0.5, unexpected errors may occur by YATV
  * issue#6334: When creating Aggregate graphs, unable to hide HRULE and COMMENT based items
  * issue#6335: Email addresses with leading or trailing spaces can cause issues
  * issue#6441: Spikekill uses the wrong option for retention periods by 3432
  * issue#6444: When a Data Input's Title is applied, unexpected errors and values may be seen
  * issue#6490: When using Clear All on Selective Debug, first item is reselected
  * issue#6507: Importing packages may not work as expected by xmacan
  * issue#6508: When exporting graphs, data issues may lead to unexpected errors by xmacan
  * issue#6516: When modifying Graph Automation Rules, unexpected errors may be logged
  * issue#6518: Improve security of CSRF Secret by SMark-Black
  * issue#6519: When using Real Time graphing, unexpected errors may appear if graph is removed
  * issue#6546: Restore some missing SNMP Script Server configurations
  * issue#6551: Improve support for FreeBSD when Auditing Databases by xmacan
  * issue#6573: Create new device_change_javascript hook for THOLD plugin by xmacan
  * issue#6598: Improve PHP 8 support by TheWitness
  * issue#6600: When replicating plugins, unexpected errors may appear due to missing tables
  * issue#6605: Prevent Row Data Loss When Rebuilding RRD Files
  * issue#6606: When using SpikeKill, actions would not always lead to expected results
  * feature#6523: When disabling users, ensure that their authentication cookies and sessions cleared
  * feature#6524: When changing your password, log off from all sessions
  * feature#6534: Improve Cacti Session ID security
  * feature#6607: Implement session security on Password change
  * feature: Update DOMPurify to 3.3.0
  * feature: Update PHPMailer to 6.10 to support SMTPUTF8
  * feature: Update phpseclib for the Service Check plugi

- Update requires/recommends for better fresh install experience
 - Requires: php-intl
 - Recommends: php-gettext php-pcntl mysql-tools