THREAT WATCH
High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Critical SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability High Microsoft Active Directory Federation Services: CVE-2026-56155 — Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability Medium Microsoft SharePoint Server: CVE-2026-56164 — Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability Critical SonicWall SMA1000 Appliances: CVE-2026-15409 — SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability Actively Exploited SonicWall SMA1000 Appliances: CVE-2026-15410 — SonicWall SMA1000 Appliances Code Injection Vulnerability Medium Cisco IOS: CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability Critical Balbooa Forms: CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability Critical iCagenda iCagenda: CVE-2026-48939 — iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability Critical JoomShaper SP Page Builder: CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-61498 — Vitec Flamingo 4.12.2 contains an unauthenticated OS command…

Back to Threat Intel Dashboard
Critical CVSS 9.8 Recently disclosed · NVD

CVE-2026-61498 — Vitec Flamingo 4.12.2 contains an unauthenticated OS command…

CVE-2026-61498 Published Jul 13, 2026
TL;DR

CVE-2026-61498 — Vitec Flamingo 4.12.2 contains an unauthenticated OS command… has a recently disclosed critical-severity vulnerability (CVE-2026-61498). It has not been reported as actively exploited — patch it proactively as part of your normal cycle before that changes.

What is this vulnerability?

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gen_graphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. Attackers can exploit the lack of input sanitization in the graph generation script, which passes user-supplied values directly to shell commands via passthru(), to execute arbitrary OS commands with root privileges due to the web server context having passwordless sudo access.

How it works

This is classified as OS Command Injection. In plain terms, an attacker could use this flaw in the affected product to gain access, disrupt service, or steal data — the exact impact depends on how it’s deployed in your environment.

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Mitigations

  • Apply the vendor’s security patch or update as soon as it’s available and tested.
  • If no patch exists yet, apply the vendor’s temporary workaround.
  • Limit network exposure of the affected system until it’s patched.
  • Track the vendor advisory — disclosed vulnerabilities can move to active exploitation quickly.

Recommendations

  • Confirm whether this vendor’s affected product is used anywhere in your environment.
  • Patch internet-facing systems first, then internal ones.
  • Prioritise by exposure and exploitability while a fix is scheduled.
  • Subscribe to the vendor’s security advisories for earlier warning next time.

Compiled from the National Vulnerability Database (NVD), referenced in 3 public advisories. Listed as recently disclosed — not confirmed exploited.