CVE-2026-10871
published 2026-06-04CVE-2026-10871: A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web…
PriorityP260high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.20%
80.3th percentile
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | — | — |
| shibby | tomato | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
vendor_apache8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability has been found in Shibby Tomato 1.28.0000.
ghsa_unreviewed·2026-06-05
CVE-2026-10871 [HIGH] CWE-77 A vulnerability has been found in Shibby Tomato 1.28.0000.
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
VulDB
Shibby Tomato 1.28.0000 Web UI /sbin/rc start_6rd_tunnel ipv6_6rd_borderrelay os command injection
vuldb·2026-06-04·CVSS 7.3
CVE-2026-10871 [HIGH] Shibby Tomato 1.28.0000 Web UI /sbin/rc start_6rd_tunnel ipv6_6rd_borderrelay os command injection
A vulnerability was found in Shibby Tomato 1.28.0000. It has been declared as critical. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection.
This vulnerability is referenced as CVE-2026-10871. It is possible to launch the attack remotely. Furthermore, an exploit is available.
This project is superseded by FreshTomato.
Apache
Apache nifi: CVE-2026-25903
vendor_apache·CVSS 8.7
CVE-2026-25903 [HIGH] Apache nifi: CVE-2026-25903
Apache nifi: CVE-2026-25903
Title: Missing Authorization of Restricted Permissions for Component Updates Published: 2026-02-16 Severity: High Products: Apache NiFi Affected Versions: 1.1.0 to 2.7.2 Fixed Versions: 2.8.0 Reporter: David Handermann References CVE Record: CVE-2026-25903 NVD Record: CVE-2026-25903 Apache Jira Issue: NIFI-15567 GitHub Pull Request: 10871 Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to the flow configuration, but framework authorization did not check restricted status when updating a component previously added. The m
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/02-start_6rd_tunnel.mdhttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/02-start_6rd_tunnel.mdhttps://vuldb.com/cve/CVE-2026-10871https://vuldb.com/submit/831857https://vuldb.com/vuln/368361https://vuldb.com/vuln/368361/cti
2026-06-04
Published