Back to overview

CVE-2026-61498

CRITICAL
9.8
CVSS 3.1
Description
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. Attackers can exploit the lack of input sanitization in the graph generation script, which passes user-supplied values directly to shell commands via passthru(), to execute arbitrary OS commands with root privileges due to the web server context having passwordless sudo access.

Metadata

CVE ID
CVE-2026-61498
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-10 15:43 UTC
Published
2026-07-13 13:12 UTC
Last updated
2026-07-13 13:12 UTC
Primary CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Co…
Vendor / Product
VITEC / Flamingo
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
VITEC Flamingo 4.12.2
Weakness (CWE)
CWESourceDescription
CWE-78 cna Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview