These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. The function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service is affected. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early abou [truncated]
A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor [truncated]
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contact [truncated]
A stack-based buffer overflow vulnerability has been discovered in Yealink SIP-T46U 108.86.0.118. The issue affects the `mod_upgrade.SparePartsUpload` function in the `/api/upgrade/accupgradebychunk` file of the Firmware Chunk Upload handler. Specifically, manipulation of the `uid` argument leads to the vulnerability. Notably, the attack can only be initiated within the local network. The exploit has been [truncated]
A command injection vulnerability has been discovered in Yealink SIP-T46U 108.86.0.118, specifically in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start endpoint, part of the Web FastCGI Service. This vulnerability allows remote attackers to inject commands by manipulating the Time argument. The vulnerability has been publicly disclosed and an exploit is available. The CVSS score f [truncated]
A high-severity vulnerability, CVE-2026-12218, was detected in Yealink SIP-T46U 108.87.50.1. The vulnerability affects the function StartReportInformation of the file /api/inner/beforewifitest in the Web FastCGI Service component. The manipulation of the argument port results in a stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be use [truncated]
CVE-2021-27561 is a Yealink Device Management server-side request forgery (SSRF) vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on 2021-11-03. Because it is KEV-listed, defenders should treat remediation as urgent and follow vendor update guidance.