CVE-2026-10872
published 2026-06-04CVE-2026-10872: A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing…
PriorityP359high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.63%
83.6th percentile
A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shibby | tomato | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability was found in Shibby Tomato 1.28.0000.
ghsa_unreviewed·2026-06-05
CVE-2026-10872 [HIGH] CWE-77 A vulnerability was found in Shibby Tomato 1.28.0000.
A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato.
VulDB
Shibby Tomato 1.28.0000 Web UI /sbin/rc start_vpnserver os command injection
vuldb·2026-06-04·CVSS 7.3
CVE-2026-10872 [HIGH] Shibby Tomato 1.28.0000 Web UI /sbin/rc start_vpnserver os command injection
A vulnerability was found in Shibby Tomato 1.28.0000. It has been rated as critical. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection.
This vulnerability is identified as CVE-2026-10872. The attack can be initiated remotely. Additionally, an exploit exists.
This project is superseded by FreshTomato.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/03-start_vpnserver.mdhttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/03-start_vpnserver.mdhttps://vuldb.com/cve/CVE-2026-10872https://vuldb.com/submit/831858https://vuldb.com/vuln/368362https://vuldb.com/vuln/368362/cti
2026-06-04
Published