Description
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
Published: 2026-06-04
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability was discovered in Shibby Tomato 1.28.0000 that allows an attacker to inject arbitrary operating system commands through the rstats_path function in the /bin/rstats component of the Web UI. This flaw permits execution of malicious commands on the device, which can compromise confidentiality, integrity, and availability of the affected system. The weakness is aligned with CWE‑77 and CWE‑78, indicating insecure command handling and OS command injection.

Affected Systems

The impacted product is Shibby:Tomato, specifically version 1.28.0000. No other versions are explicitly listed, and the component in question is the Web UI’s /bin/rstats file. The project is superseded by FreshTomato, though versions of FreshTomato are not confirmed to be affected.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. While EPSS data is unavailable, the vulnerability has been publicly disclosed and can be exploited remotely. It is not listed in the CISA KEV catalog. Attackers can send crafted payloads to the rstats_path parameter via the exposed Web UI, leading to remote command execution with the privileges of the affected system.

Generated by OpenCVE AI on June 4, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch from Shibby or upgrade to FreshTomato to eliminate the vulnerable rstats_path function.
  • If upgrading is not immediately possible, disable or remove the rstats_path feature from the Web UI configuration to prevent exploitation.
  • Configure network firewalls or access controls to restrict external access to the /bin/rstats endpoint and monitor for abnormal command execution activity.

Generated by OpenCVE AI on June 4, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
Title Shibby Tomato Web UI rstats rstats_path os command injection
First Time appeared Shibby
Shibby tomato
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
Vendors & Products Shibby
Shibby tomato
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shibby Tomato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T22:30:13.356Z

Reserved: 2026-06-04T15:32:05.935Z

Link: CVE-2026-10873

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:48.843

Modified: 2026-06-04T23:16:48.843

Link: CVE-2026-10873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:30:06Z

Weaknesses