Web UI Flaw in Shibby Tomato Router Allows Remote OS Command Injection
CVE-2026-10870
8.6HIGH
What is CVE-2026-10870?
A vulnerability exists in Shibby Tomato version 1.28.0000, specifically within the function start_dhcpc of the web interface located at /sbin/rc. This flaw enables attackers to perform OS command injection, potentially allowing unauthorized remote access. Exploitation of this issue permits malicious actors to execute commands on the affected system, raising serious security concerns. Notably, this project has been succeeded by FreshTomato, emphasizing the need for users to migrate to more secure alternatives.
Affected Version(s)
Tomato 1.28.0000
