Description
A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
Published: 2026-05-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the miniupnpd daemon bundled with Shibby Tomato 1.28 allows an attacker to manipulate an unspecified internal function in usr/sbin/miniupnpd, leading to uncontrolled resource consumption. The resulting denial of service reduces the availability of the device for legitimate users and creates an availability risk for networks relying on the appliance. The weakness is classified as CWE-400 and CWE-404.

Affected Systems

Only Shibby Tomato 1.28 is affected. The upstream project has been superseded by FreshTomato and versions older than 1.28 are no longer maintained by the vendor, so the vulnerability does not exist in more recent releases.

Risk and Exploitability

The CVSS score of 8.7 marks this issue as high severity. While the EPSS score is not available, the vulnerability can be triggered remotely, giving attackers a straightforward path to cause service disruption on exposed devices. The CVE is not listed in the CISA KEV catalog, but the potential for widespread denial of service makes it a significant operational risk for unsupported installations.

Generated by OpenCVE AI on May 29, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to FreshTomato, the successor that eliminates the vulnerable miniupnpd functionality.
  • If upgrading is not possible, disable the miniupnpd service or restrict it to trusted local interfaces only by adjusting service configuration or using firewall rules to block UPnP traffic from external sources.
  • As a temporary measure, limit the amount of resources that miniupnpd can consume by adjusting system limits or using control groups if the functionality is exposed.

Generated by OpenCVE AI on May 29, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
Title Shibby Tomato miniupnpd resource consumption
First Time appeared Shibby
Shibby tomato
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
Vendors & Products Shibby
Shibby tomato
References
Metrics cvssV2_0

{'score': 7.8, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:C/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Shibby Tomato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T01:37:57.528Z

Reserved: 2026-05-29T08:32:38.317Z

Link: CVE-2026-10069

cve-icon Vulnrichment

Updated: 2026-06-02T01:37:52.530Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:23.917

Modified: 2026-06-02T03:16:14.850

Link: CVE-2026-10069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:30Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-404

    Improper Resource Shutdown or Release