CVE-2026-10870
HIGHShibby Tomato Web UI rc start_dhcpc os command injection
Title source: cnaDescription
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-368360 | Shibby Tomato Web UI rc start_dhcpc os command injection
https://vuldb.com/vuln/368360
Signature, Permissions Required signature
permissions-required
VDB-368360 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/368360/cti
Third Party Advisory third-party-advisory
CVE-2026-10870 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-10870
Related related
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.md
Third Party Advisory third-party-advisory
Submit #831856 | Tomato Tomato Firmware Shibby-modified Tomato Firmware (MIPS32 LE). Verified on extracted image labeled d2e251333c486810d9bbce816021bcf1b93dd392 (inter OS Command Injection
https://vuldb.com/submit/831856
Scores
CVSS v3
7.2
EPSS
0.0220
EPSS Percentile
80.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
Shibby/Tomato
1.28.0000
Published
Jun 04, 2026
Tracked Since
Jun 05, 2026