Description
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo.
Problem types
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Product status
4.12.2 (semver)
Credits
Yassine Damiri
Adam Outikni
References
damiri.fr/en/cve/CVE-2026-60121 (Researcher Disclosure)
www.vitec.com/solutions/iptv-distribution (Product Webpage)
www.vulncheck.com/...cated-os-command-injection-via-ping-php