Here is the article.
CVE-2026-61498: Unauthenticated Root Command Injection in Vitec Flamingo 4.12.2
A critical (CVSS 9.8) OS command injection flaw in Vitec Flamingo 4.12.2 lets remote, unauthenticated attackers run arbitrary commands as root through the graph-generation endpoint.
What Is It
CVE-2026-61498 is an unauthenticated OS command injection vulnerability (CWE-78) in the admin/ajax/gen_graphs.php endpoint of Vitec Flamingo 4.12.2. The graph generation script fails to sanitize input and passes user-supplied values directly to shell commands via PHP's passthru(). An attacker can inject shell metacharacters through the start, end, key, or format HTTP GET parameters to execute arbitrary OS commands. Because the web server context has passwordless sudo access, those commands run with root privileges.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a CVSS 4.0 secondary score of 9.3. It is network-exploitable (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N) and no user interaction (UI:N), and yields high confidentiality, integrity, and availability impact. In practice, a single crafted HTTP GET request grants full root-level control of the affected host with no authentication.
What's Vulnerable
- Vendor: VITEC
- Product: Flamingo
- Affected version: 4.12.2
The vulnerable code path is the admin/ajax/gen_graphs.php endpoint reachable via the start, end, key, and format GET parameters.
Patch Status
The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation or a mandated remediation deadline at this time. The NVD record lists a vulnerability status of "Undergoing Analysis" and does not specify a fixed version or vendor patch. Refer to the VulnCheck advisory and vendor resources below for the latest guidance.