Description
A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the mod_diagnose.CommandShellByType function of the Yealink SIP‑T46U’s Web FastCGI Service. An attacker can supply a crafted value for the Time parameter, which is passed directly to the shell, allowing injection of arbitrary commands. The ability to run commands with the service’s privileges provides remote execution, potentially compromising the device's confidentiality, integrity, or availability. The weakness corresponds to CWE-74 and CWE-77.

Affected Systems

The affected device is the Yealink SIP‑T46U running firmware version 108.86.0.118. The flaw is in the Web FastCGI Service component accessed through the /api/diagnosis/start endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified precisely. The vulnerability is not listed in the CISA KEV catalog, yet an exploit has been publicly released and remains usable. Attackers can trigger the injection remotely over the network without local access, making the attack vector network‑based. No vendor patch or official mitigation notice has been issued, so operators must rely on network hardening or disabling the vulnerable interface.

Generated by OpenCVE AI on June 15, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a firmware update that removes or fixes mod_diagnose.CommandShellByType is released, upgrade the Yealink SIP‑T46U immediately.
  • Restrict or block external access to the /api/diagnosis/start endpoint using a firewall or access control list.
  • Deploy a web application firewall or reverse proxy to enforce strict numeric validation on the Time parameter, rejecting non‑numeric input.
  • Disable the Web FastCGI Service or the diagnosis endpoint if it is not required for operation.

Generated by OpenCVE AI on June 15, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection
First Time appeared Yealink
Yealink sip-t46u
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Vendors & Products Yealink
Yealink sip-t46u
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yealink Sip-t46u
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T04:30:12.020Z

Reserved: 2026-06-14T13:54:13.580Z

Link: CVE-2026-12219

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T06:16:23.953

Modified: 2026-06-15T06:16:23.953

Link: CVE-2026-12219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T08:00:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')