OS Command Injection Vulnerability in Shibby Tomato Web UI
CVE-2026-10873

8.6HIGH

Key Information:

Vendor

Shibby

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-10873?

A vulnerability in Shibby Tomato version 1.28.0000 allows for OS command injection through the rstats_path function located in the Web UI component. An attacker can exploit this vulnerability remotely, enabling them to manipulate commands in the operating system. This risk has been publicly disclosed, raising concerns for users of the affected product, which has since been succeeded by FreshTomato. It is critical for users to be aware of this vulnerability and take action if they are still utilizing the impacted version.

Affected Version(s)

Tomato 1.28.0000

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

WH-YHUST (VulDB User)
VulDB CNA Team
.