Product
Vitec Flamingo version 4.12.2 contains an unauthenticated OS command injection vulnerability (CVE-2026-60121) in the `admin/ajax/ping.php` endpoint, allowing remote attackers to execute arbitrary commands with root privileges via a double-evaluation flaw in shell argument handling through the `host` POST parameter.