CVE-2026-10873
published 2026-06-04CVE-2026-10873: A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a…
PriorityP358high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.70%
84.0th percentile
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shibby | tomato | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability was determined in Shibby Tomato 1.28.0000.
ghsa_unreviewed·2026-06-05
CVE-2026-10873 [HIGH] CWE-77 A vulnerability was determined in Shibby Tomato 1.28.0000.
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
VulDB
Shibby Tomato 1.28.0000 Web UI /bin/rstats rstats_path os command injection
vuldb·2026-06-04·CVSS 7.3
CVE-2026-10873 [HIGH] Shibby Tomato 1.28.0000 Web UI /bin/rstats rstats_path os command injection
A vulnerability categorized as critical has been discovered in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection.
This vulnerability is tracked as CVE-2026-10873. The attack can be launched remotely. Moreover, an exploit is present.
This project is superseded by FreshTomato.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.mdhttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.mdhttps://vuldb.com/cve/CVE-2026-10873https://vuldb.com/submit/831866https://vuldb.com/submit/831867https://vuldb.com/vuln/368363https://vuldb.com/vuln/368363/ctihttps://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md
2026-06-04
Published