Home

Description

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system wrapper, but the wrapper retrieves the decoded value from argv and incorporates it into a second shell_exec() call without escaping, allowing injected commands to execute with root privileges via passwordless sudo.

PUBLISHED Reserved 2026-07-08 | Published 2026-07-13 | Updated 2026-07-13 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

4.12.2 (semver)
affected

Credits

Yassine Damiri finder

Adam Outikni finder

References

damiri.fr/en/cve/CVE-2026-60121 (Researcher Disclosure) technical-description exploit

www.vitec.com/solutions/iptv-distribution (Product Webpage) product

www.vulncheck.com/...cated-os-command-injection-via-ping-php third-party-advisory

cve.org (CVE-2026-60121)

nvd.nist.gov (CVE-2026-60121)

Download JSON