Buffer Overflow Vulnerability in Shibby Tomato Router Firmware
CVE-2026-10065

8.7HIGH

Key Information:

Vendor

Shibby

Status
Tomato
Vendor
CVE Published:
29 May 2026

What is CVE-2026-10065?

A vulnerability has been discovered in Shibby Tomato firmware version 1.28, specifically in the function get_ups_field located in the tomatodata.cgi file. This weakness allows an attacker to manipulate the Date argument, leading to a stack-based buffer overflow. Importantly, this issue can be exploited remotely, posing a significant risk to users of this outdated firmware. Users are advised that Shibby Tomato is no longer supported, and the project has been succeeded by FreshTomato, which may offer enhanced security and features.

Affected Version(s)

Tomato 1.28

References

https://vuldb.com/vuln/367151
vdb-entrytechnical-description
https://vuldb.com/vuln/367151/cti
signaturepermissions-required
https://vuldb.com/submit/818144
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cormac315 (VulDB User)
VulDB CNA Team
.