Server-Side Request Forgery in Shibby Tomato Firmware
CVE-2026-10068

6.9MEDIUM

Key Information:

Vendor

Shibby

Status
Tomato
Vendor
CVE Published:
29 May 2026

What is CVE-2026-10068?

A vulnerability has been identified in Shibby Tomato Firmware 1.28, specifically within the SUBSCRIBE Call Handler. This flaw allows for server-side request forgery through improper handling in the send function of the miniupnpd component located in usr/sbin. Attackers may exploit this vulnerability remotely, enabling them to manipulate server requests and potentially access sensitive information. Users are advised to upgrade to FreshTomato or secure their devices, as this vulnerability affects unsupported products.

Affected Version(s)

Tomato 1.28

References

https://vuldb.com/vuln/367154
vdb-entrytechnical-description
https://vuldb.com/vuln/367154/cti
signaturepermissions-required
https://vuldb.com/submit/818237
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

VulDB Gitee Analyzer
VulDB CNA Team
.