Description
A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the get_ups_field function of the tomatodata.cgi script in Shibby Tomato version 1.28. By supplying a specially crafted Date argument the attacker can overflow a stack buffer, a condition identified as CWE-119 and CWE-121. The flaw is exploitable remotely and carries a CVSS score of 8.7, indicating a high likelihood of serious impact if successfully mined.

Affected Systems

It affects only the Shibby Tomato product in its 1.28 release. The vendor has marked this version as no longer supported and notes that the product is superseded by FreshTomato. Devices running this firmware are therefore on an unsupported code base with no official patch provisioned.

Risk and Exploitability

Because the overflow is triggered via a remote HTTP parameter, an attacker only needs to reach the web interface to exercise the exploit. The EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog, but the CVSS score and the remote nature of the attack still warrant a high level of concern. There are no known mitigations from the vendor; the risk remains until the firmware is replaced or the endpoint is isolated.

Generated by OpenCVE AI on May 29, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to FreshTomato firmware or another supported alternative.
  • If an upgrade is not immediately possible, block or limit external access to the tomatodata.cgi endpoint so that the Date parameter cannot be supplied by untrusted users.
  • Apply input validation or filtering on the Date field so that malicious values cannot trigger the overflow.

Generated by OpenCVE AI on May 29, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
Title Shibby Tomato tomatodata.cgi get_ups_field stack-based overflow
First Time appeared Shibby
Shibby tomato
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
Vendors & Products Shibby
Shibby tomato
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Shibby Tomato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-29T17:42:04.607Z

Reserved: 2026-05-29T08:32:27.217Z

Link: CVE-2026-10065

cve-icon Vulnrichment

Updated: 2026-05-29T17:39:31.871Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:23.210

Modified: 2026-05-29T16:29:52.803

Link: CVE-2026-10065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses