{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12219", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-06-14T13:54:13.580Z", "datePublished": "2026-06-15T04:30:12.020Z", "dateUpdated": "2026-06-27T05:44:59.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-27T05:44:59.077Z"}, "title": "Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Yealink", "product": "SIP-T46U", "versions": [{"version": "108.86.0.118", "status": "affected"}, {"version": "108.87.0.23", "status": "unaffected"}], "cpes": ["cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"], "modules": ["Web FastCGI Service"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-06-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-06-14T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-06-27T07:46:21.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "CookedMelon (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/370862", "name": "VDB-370862 | Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/370862/cti", "name": "VDB-370862 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-12219", "name": "CVE-2026-12219 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/834204", "name": "Submit #834204 | yealink T46U 108.86.0.118 Command Injection", "tags": ["third-party-advisory"]}, {"url": "http://cdn2.v50to.cc/T46U/T46U_mod_diagnose_CommandShellByType_iperf_time_cmd_injection.zip", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T21:55:48.720036Z", "id": "CVE-2026-12219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T21:55:59.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T21:55:48.720036Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T21:55:54.462Z"}}], "cna": {"title": "Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection", "credits": [{"lang": "en", "type": "reporter", "value": "CookedMelon (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*"], "vendor": "Yealink", "modules": ["Web FastCGI Service"], "product": "SIP-T46U", "versions": [{"status": "affected", "version": "108.86.0.118"}, {"status": "unaffected", "version": "108.87.0.23"}]}], "timeline": [{"lang": "en", "time": "2026-06-14T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-06-14T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-06-27T07:46:21.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/370862", "name": "VDB-370862 | Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/370862/cti", "name": "VDB-370862 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/cve/CVE-2026-12219", "name": "CVE-2026-12219 | CVE Analysis and Report", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/834204", "name": "Submit #834204 | yealink T46U 108.86.0.118 Command Injection", "tags": ["third-party-advisory"]}, {"url": "http://cdn2.v50to.cc/T46U/T46U_mod_diagnose_CommandShellByType_iperf_time_cmd_injection.zip", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-06-27T05:44:59.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12219", "state": "PUBLISHED", "dateUpdated": "2026-06-27T05:44:59.077Z", "dateReserved": "2026-06-14T13:54:13.580Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-06-15T04:30:12.020Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-12219", "lastModified": "2026-06-15T20:42:32.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-06-15T06:16:23.953", "references": [{"source": "cna@vuldb.com", "url": "http://cdn2.v50to.cc/T46U/T46U_mod_diagnose_CommandShellByType_iperf_time_cmd_injection.zip"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/cve/CVE-2026-12219"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/834204"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/370862"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/370862/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108.86.0.118"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "sip-t46u", "vendor": "yealink"}], "created": "2026-06-15T08:00:16.764711+00:00", "updated": "2026-06-27T08:30:07.860994+00:00", "vendors": ["yealink", "yealink$PRODUCT$sip-t46u"]}