Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-60121

CRITICAL NVD
CVSS Score 9.8
Severity CRITICAL
Published Jul 13, 2026
Vendor unknown

Description

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo.

References