Command Injection Vulnerability in Yealink SIP-T46U Web FastCGI Service
CVE-2026-12219

5.3MEDIUM

Key Information:

Vendor

Yealink

Status
Sip-t46u
Vendor
CVE Published:
15 June 2026

What is CVE-2026-12219?

A vulnerability exists in Yealink's SIP-T46U, particularly within the Web FastCGI Service handling commands. The flaw arises in the function mod_diagnose.CommandShellByType located in the /api/diagnosis/start file, where an argument manipulation in the Time parameter can lead to command injection. This security weakness can be remotely exploited, allowing an attacker to execute arbitrary commands. Despite earlier notifications regarding this flaw, the vendor has not provided a response.

Affected Version(s)

SIP-T46U 108.86.0.118

References

https://vuldb.com/vuln/370862
vdb-entrytechnical-description
https://vuldb.com/vuln/370862/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12219
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CookedMelon (VulDB User)
VulDB CNA Team
.