Skip to main content

Flamingo

6 CVEs product

Monthly

CVE-2026-61498 CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
2.2%
CVE-2026-60121 CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2020-35245 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35244 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35243 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-35242 CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Flamingo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy