SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-61498 2026-07-13

CVE-2026-61498: Unauthenticated Root Command Injection in Vitec Flamingo 4.12.2

"A critical (CVSS 9.8) OS command injection flaw in Vitec Flamingo 4.12.2 lets remote, unauthenticated attackers run arbitrary commands as root through the graph-generation endpoint."

Here is the article.

CVE-2026-61498: Unauthenticated Root Command Injection in Vitec Flamingo 4.12.2

A critical (CVSS 9.8) OS command injection flaw in Vitec Flamingo 4.12.2 lets remote, unauthenticated attackers run arbitrary commands as root through the graph-generation endpoint.

What Is It

CVE-2026-61498 is an unauthenticated OS command injection vulnerability (CWE-78) in the admin/ajax/gen_graphs.php endpoint of Vitec Flamingo 4.12.2. The graph generation script fails to sanitize input and passes user-supplied values directly to shell commands via PHP's passthru(). An attacker can inject shell metacharacters through the start, end, key, or format HTTP GET parameters to execute arbitrary OS commands. Because the web server context has passwordless sudo access, those commands run with root privileges.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a CVSS 4.0 secondary score of 9.3. It is network-exploitable (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N) and no user interaction (UI:N), and yields high confidentiality, integrity, and availability impact. In practice, a single crafted HTTP GET request grants full root-level control of the affected host with no authentication.

What's Vulnerable

The vulnerable code path is the admin/ajax/gen_graphs.php endpoint reachable via the start, end, key, and format GET parameters.

Patch Status

The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation or a mandated remediation deadline at this time. The NVD record lists a vulnerability status of "Undergoing Analysis" and does not specify a fixed version or vendor patch. Refer to the VulnCheck advisory and vendor resources below for the latest guidance.

Sources