CVE-2026-10870
published 2026-06-04CVE-2026-10870: A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes…
PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.20%
80.3th percentile
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shibby | tomato | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shibby Tomato 1.28.0000 Web UI /sbin/rc start_dhcpc os command injection (EUVD-2026-34323)
vuldb·2026-06-04·CVSS 7.3
CVE-2026-10870 [HIGH] Shibby Tomato 1.28.0000 Web UI /sbin/rc start_dhcpc os command injection (EUVD-2026-34323)
A vulnerability was found in Shibby Tomato 1.28.0000. It has been classified as critical. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection.
The identification of this vulnerability is CVE-2026-10870. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
This project is superseded by FreshTomato.
GHSA
A flaw has been found in Shibby Tomato 1.28.0000.
ghsa_unreviewed·2026-06-04
CVE-2026-10870 [HIGH] CWE-77 A flaw has been found in Shibby Tomato 1.28.0000.
A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.mdhttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/01-start_dhcpc.mdhttps://vuldb.com/cve/CVE-2026-10870https://vuldb.com/submit/831856https://vuldb.com/vuln/368360https://vuldb.com/vuln/368360/ctihttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/01-start_dhcpc.md
2026-06-04
Published