PatchSiren

VITEC CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL VITEC CVE published 2026-07-13

CVE-2026-61498

CVE-2026-61498 is an unauthenticated OS command injection vulnerability in Vitec Flamingo 4.12.2. The vulnerability exists in the admin/ajax/gen_graphs.php endpoint, allowing remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. The vulnerability is caused by a lack of input sanitization in the graph generati [truncated]

CRITICAL VITEC CVE published 2026-07-13

CVE-2026-60121

CVE-2026-60121 is a critical unauthenticated OS command injection vulnerability in Vitec Flamingo 4.12.2. The vulnerability is located in the admin/ajax/ping.php endpoint, which allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg() to the user-supplied host POST parameter before passing it to a system [truncated]