Stack-based Buffer Overflow in Shibby Tomato Firmware from Tomato by Shibby
CVE-2026-10066

8.7HIGH

Key Information:

Vendor

Shibby

Status
Tomato
Vendor
CVE Published:
29 May 2026

What is CVE-2026-10066?

A security vulnerability affecting Shibby Tomato firmware versions up to 1.28 allows for a stack-based buffer overflow through improper handling in the UPS Service component, specifically within the function sub_9068 of the tomatoups.cgi file. This remote exploit can lead to unauthorized memory access, impacting the stability and security of affected systems. Users are advised to migrate to the FreshTomato project, as the Shibby Tomato firmware is no longer supported by the maintainer.

Affected Version(s)

Tomato 1.0

Tomato 1.1

Tomato 1.2

References

https://vuldb.com/vuln/367152
vdb-entrytechnical-description
https://vuldb.com/vuln/367152/cti
signaturepermissions-required
https://vuldb.com/submit/818145
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cormac315 (VulDB User)
VulDB CNA Team
.