Back to overview

CVE-2026-60121

CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo.

Metadata

CVE ID
CVE-2026-60121
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-08 13:27 UTC
Published
2026-07-13 13:11 UTC
Last updated
2026-07-13 14:02 UTC
Primary CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Co…
Vendor / Product
VITEC / Flamingo
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
VITEC Flamingo 4.12.2
Weakness (CWE)
CWESourceDescription
CWE-78 cna Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview