PT-2026-57817 · Vitec · Vitec Flamingo

Adam Outikni

+1

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-61498

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Vitec Flamingo version 4.12.2
Description An unauthenticated OS command injection exists in the 'admin/ajax/gen graphs.php' endpoint. Remote attackers can execute arbitrary commands with root privileges by providing shell metacharacters through the start, end, key, or format HTTP GET parameters. This occurs because the graph generation script fails to sanitize input before passing it to shell commands via the passthru() function, and the web server context possesses passwordless sudo access.
Recommendations Update Vitec Flamingo version 4.12.2 to a patched version. As a temporary workaround, restrict access to the 'admin/ajax/gen graphs.php' endpoint.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61498

Affected Products

Vitec Flamingo