PT-2026-57817 · Vitec · Vitec Flamingo
Adam Outikni
+1
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-61498
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Vitec Flamingo version 4.12.2
Description
An unauthenticated OS command injection exists in the 'admin/ajax/gen graphs.php' endpoint. Remote attackers can execute arbitrary commands with root privileges by providing shell metacharacters through the
start, end, key, or format HTTP GET parameters. This occurs because the graph generation script fails to sanitize input before passing it to shell commands via the passthru() function, and the web server context possesses passwordless sudo access.Recommendations
Update Vitec Flamingo version 4.12.2 to a patched version.
As a temporary workaround, restrict access to the 'admin/ajax/gen graphs.php' endpoint.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vitec Flamingo