Web UI Flaw in Shibby Tomato Router Allows Remote OS Command Injection
CVE-2026-10870

8.6HIGH

Key Information:

Vendor

Shibby

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-10870?

A vulnerability exists in Shibby Tomato version 1.28.0000, specifically within the function start_dhcpc of the web interface located at /sbin/rc. This flaw enables attackers to perform OS command injection, potentially allowing unauthorized remote access. Exploitation of this issue permits malicious actors to execute commands on the affected system, raising serious security concerns. Notably, this project has been succeeded by FreshTomato, emphasizing the need for users to migrate to more secure alternatives.

Affected Version(s)

Tomato 1.28.0000

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

WH-YHUST (VulDB User)
VulDB CNA Team
.