CVE-2026-10873 - Vulnerability Details

- Shibby Tomato Web UI rstats rstats_path os command injection

Description

A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

Published: 2026-06-04

Score: 8.6 High

EPSS: 2.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was discovered in Shibby Tomato 1.28.0000 that allows an attacker to inject arbitrary operating system commands through the rstats_path function in the /bin/rstats component of the Web UI. This flaw permits execution of malicious commands on the device, which can compromise confidentiality, integrity, and availability of the affected system. The weakness is aligned with CWE‑77 and CWE‑78, indicating insecure command handling and OS command injection.

Affected Systems

The impacted product is Shibby:Tomato, specifically version 1.28.0000. No other versions are explicitly listed, and the component in question is the Web UI’s /bin/rstats file. The project is superseded by FreshTomato, though versions of FreshTomato are not confirmed to be affected.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The EPSS score of 3% indicates a low but non-zero likelihood of exploitation, yet the vulnerability has been publicly disclosed and can be exploited remotely. It is not listed in the CISA KEV catalog. Attackers can send crafted payloads to the rstats_path parameter via the exposed Web UI, leading to remote command execution with the privileges of the affected system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shibby

Tomato

affected

Version	Status	Constraints
`1.28.0000`	affected	—

No data.

Vendor Product Confidence Versions

Shibby

Tomato

95%

Version	Status	Scheme	Platform
`1.28.0000`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest official patch from Shibby or upgrade to FreshTomato to eliminate the vulnerable rstats_path function.
If upgrading is not immediately possible, disable or remove the rstats_path feature from the Web UI configuration to prevent exploitation.
Configure network firewalls or access controls to restrict external access to the /bin/rstats endpoint and monitor for abnormal command execution activity.

Generated by OpenCVE AI on June 18, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.02695.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.md
https://vuldb.com/cve/CVE-2026-10873
https://vuldb.com/submit/831866
https://vuldb.com/submit/831867
https://vuldb.com/vuln/368363
https://vuldb.com/vuln/368363/cti

History

Fri, 05 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
Title		Shibby Tomato Web UI rstats rstats_path os command injection
First Time appeared		Shibby Shibby tomato
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:a:shibby:tomato::::::::
Vendors & Products		Shibby Shibby tomato
References		https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.md https://vuldb.com/cve/CVE-2026-10873 https://vuldb.com/submit/831866 https://vuldb.com/submit/831867 https://vuldb.com/vuln/368363 https://vuldb.com/vuln/368363/cti
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Shibby Tomato

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-04T22:30:13.356Z

Updated: 2026-06-05T20:05:07.275Z

Reserved: 2026-06-04T15:32:05.935Z

Link: CVE-2026-10873

Vulnrichment

Updated: 2026-06-05T20:04:52.108Z

NVD

Status : Deferred

Published: 2026-06-04T23:16:48.843

Modified: 2026-06-05T20:17:14.127

Link: CVE-2026-10873

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object