CVE-2026-12223 | Yealink SIP-T46U 108.86.0.118 Web FastCGI Service tftpuploadiperf mod_webd.TFTPUploadIperf ip/port command injection

A vulnerability was found in Yealink SIP-T46U 108.86.0.118. It has been classified as critical. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection.

This vulnerability is referenced as CVE-2026-12223. The attack needs to be initiated within the local network. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More