CVE-2026-10873
HIGHShibby Tomato Web UI rstats rstats_path os command injection
Title source: cnaDescription
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-368363 | Shibby Tomato Web UI rstats rstats_path os command injection
https://vuldb.com/vuln/368363
Signature, Permissions Required signature
permissions-required
VDB-368363 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/368363/cti
Third Party Advisory third-party-advisory
CVE-2026-10873 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-10873
Third Party Advisory third-party-advisory
Submit #831867 | Tomato Tomato by Shibby 1.28.0000 MIPSR2-124 K26 USB Big-VPN command injection
https://vuldb.com/submit/831867
Third Party Advisory third-party-advisory
Submit #831866 | Tomato Tomato by Shibby 1.28.0000 MIPSR2-124 K26 USB Big-VPN command injection (Duplicate)
https://vuldb.com/submit/831866
Related related
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md
Exploit broken-link
exploit
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.md
Scores
CVSS v3
7.2
EPSS
0.0270
EPSS Percentile
83.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
CWE-78
Status
published
Products (1)
Shibby/Tomato
1.28.0000
Published
Jun 04, 2026
Tracked Since
Jun 05, 2026