PatchSiren cyber security CVE debrief
CVE-2026-12219 Yealink CVE debrief
A command injection vulnerability has been discovered in Yealink SIP-T46U 108.86.0.118, specifically in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start endpoint, part of the Web FastCGI Service. This vulnerability allows remote attackers to inject commands by manipulating the Time argument. The vulnerability has been publicly disclosed and an exploit is available. The CVSS score for this vulnerability is 2.1, indicating a low severity.
- Vendor
- Yealink
- Product
- SIP-T46U
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Yealink SIP-T46U 108.86.0.118 are advised to take immediate action to mitigate this vulnerability.
Technical summary
The vulnerability exists in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start endpoint. An attacker can inject commands by manipulating the Time argument, allowing for remote command injection.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Restrict access to the /api/diagnosis/start endpoint to trusted IP addresses or networks.
- Monitor system logs for suspicious activity related to the Web FastCGI Service.
Evidence notes
The vulnerability was discovered and publicly disclosed on June 15, 2026. The vendor was contacted but did not respond.
Official resources
CVE-2026-12219 was published and modified on June 15, 2026.