CVE-2026-10870 - Vulnerability Details

- Shibby Tomato Web UI rc start_dhcpc os command injection

Description

A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.

Published: 2026-06-04

Score: 8.6 High

EPSS: 2.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows an attacker to inject arbitrary operating‑system commands via the start_dhcpc function in the Shibby Tomato web interface. This is an instance of CWE‑77 (OS Command Injection) and CWE‑78 (OS Command Injection). Successful exploitation grants the attacker the ability to run arbitrary commands with the privileges of the web UI process, effectively creating a remote code execution vector.

Affected Systems

Shibby Tomato version 1.28.0000, specifically the /sbin/rc script that implements the start_dhcpc function. The vulnerability is present in the Web UI component of the Tomato firmware distributed by Shibby.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as high severity. The EPSS score of 2% indicates a relatively low but non‑zero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The exploit is remote, requiring only web UI access, and published exploits exist, indicating a realistic risk of exploitation. The absence of an official fix implies attackers could perform the injection under any circumstances where the web interface is reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shibby

Tomato

affected

Version	Status	Constraints
`1.28.0000`	affected	—

No data.

Vendor Product Confidence Versions

Shibby

Tomato

100%

Version	Status	Scheme	Platform
`1.28.0000`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a current Tomato or FreshTomato release that addresses the command‑injection flaw.
If an upgrade is not immediately possible, block web‑UI access to only trusted IP ranges and enforce strong authentication before allowing access.
Modify the /sbin/rc script to sanitize the parameters used by start_dhcpc, removing or escaping any user‑supplied input before concatenating it into an OS command.

Generated by OpenCVE AI on June 18, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.02199.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.md
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/01-start_dhcpc.md
https://vuldb.com/cve/CVE-2026-10870
https://vuldb.com/submit/831856
https://vuldb.com/vuln/368360
https://vuldb.com/vuln/368360/cti

History

Mon, 08 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
Title		Shibby Tomato Web UI rc start_dhcpc os command injection
First Time appeared		Shibby Shibby tomato
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:a:shibby:tomato::::::::
Vendors & Products		Shibby Shibby tomato
References		https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.md https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/01-start_dhcpc.md https://vuldb.com/cve/CVE-2026-10870 https://vuldb.com/submit/831856 https://vuldb.com/vuln/368360 https://vuldb.com/vuln/368360/cti
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Shibby Tomato

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-04T20:30:16.172Z

Updated: 2026-06-08T15:09:56.944Z

Reserved: 2026-06-04T15:31:57.117Z

Link: CVE-2026-10870

Vulnrichment

Updated: 2026-06-08T15:09:45.649Z

NVD

Status : Deferred

Published: 2026-06-04T21:16:30.220

Modified: 2026-06-08T16:16:33.643

Link: CVE-2026-10870

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object