CVE-2026-10872 - Vulnerability Details

- Shibby Tomato Web UI rc start_vpnserver os command injection

Description

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.

Published: 2026-06-04

Score: 8.6 High

EPSS: 2.6% Low

KEV: No

Impact:

Action:

Analysis

Impact

An OS command injection flaw was discovered in the start_vpnserver function of the /sbin/rc script within the Shibby Tomato Web UI. By manipulating the input to this function, an attacker can execute arbitrary shell commands on the device. This leads to a full compromise of confidentiality, integrity, and availability, as the attacker can gain privileged access to the underlying operating system. The vulnerability is associated with CWE-77 and CWE-78.

Affected Systems

The vulnerability specifically affects Shibby Tomato version 1.28. UI interface that communicates with the start_vpnserver command. No other versions or products are listed as impacted in the current advisory.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity level. The EPSS score of 3% indicates a low exploitation probability, yet the publicly documented exploit can be triggered remotely via the Web UI, making the risk significant. The vulnerability is not listed in the CISA KEV catalog and no official workaround is provided. The likely attack vector is remote input through the Web UI’s start_vpnserver endpoint. An attacker who can reach the device’s web interface can exploit this flaw to execute arbitrary commands on the device, effectively taking control.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shibby

Tomato

affected

Version	Status	Constraints
`1.28.0000`	affected	—

No data.

Vendor Product Confidence Versions

Shibby

Tomato

95%

Version	Status	Scheme	Platform
`1.28.0000`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to a version that includes the fixed start_vpnserver implementation or switch to the official FreshTomato build.
Restrict network access to the device’s Web UI to trusted internal hosts or apply firewall rules that block external traffic to the affected port.
If an upgrade is not immediately possible, disable or remove the remote start_vpnserver capability from the configuration or patch the web UI handler to validate and sanitize its input against command injection before executing shell commands.

Generated by OpenCVE AI on June 18, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.02635.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/03-start_vpnserver.md
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/03-start_vpnserver.md
https://vuldb.com/cve/CVE-2026-10872
https://vuldb.com/submit/831858
https://vuldb.com/vuln/368362
https://vuldb.com/vuln/368362/cti

History

Fri, 05 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
Title		Shibby Tomato Web UI rc start_vpnserver os command injection
First Time appeared		Shibby Shibby tomato
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:a:shibby:tomato::::::::
Vendors & Products		Shibby Shibby tomato
References		https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/03-start_vpnserver.md https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/03-start_vpnserver.md https://vuldb.com/cve/CVE-2026-10872 https://vuldb.com/submit/831858 https://vuldb.com/vuln/368362 https://vuldb.com/vuln/368362/cti
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Shibby Tomato

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-04T22:15:15.209Z

Updated: 2026-06-05T19:29:31.527Z

Reserved: 2026-06-04T15:32:03.191Z

Link: CVE-2026-10872

Vulnrichment

Updated: 2026-06-05T19:29:27.411Z

NVD

Status : Deferred

Published: 2026-06-04T23:16:48.620

Modified: 2026-06-05T13:26:15.113

Link: CVE-2026-10872

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object