Command Injection Vulnerability in Yealink SIP-T46U Devices
CVE-2026-12223

5.1MEDIUM

Key Information:

Vendor

Yealink

Status
Sip-t46u
Vendor
CVE Published:
15 June 2026

What is CVE-2026-12223?

A command injection vulnerability has been discovered in the Yealink SIP-T46U device's Web FastCGI Service, specifically within the mod_webd.TFTPUploadIperf function. This flaw allows an attacker within the local network to manipulate input parameters (such as ip/port) and execute arbitrary commands. The exploit is publicly available, which poses a significant risk to vulnerable installations. Despite early warnings, Yealink's response to address this issue has been lacking, leaving devices susceptible to potential exploitation.

Affected Version(s)

SIP-T46U 108.86.0.118

References

https://vuldb.com/vuln/370866
vdb-entrytechnical-description
https://vuldb.com/vuln/370866/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12223
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ChiChen241 (VulDB User)
VulDB CNA Team
.