GHSA-37rx-6hw8-mc8wCriticalCVSS 9.8

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin...

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo.

🔗 References (5)