CVE-2026-10871

HIGH 7.2

Shibby Tomato Web UI rc start_6rd_tunnel os command injection

CVSS Score

7.2

EPSS Score

0.1%

EPSS Percentile

32th

A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.

CWE	CWE-78 CWE-77
Vendor	shibby
Product	tomato
Published	Jun 4, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for shibby tomato

Be the first to know when new high vulnerabilities affecting shibby tomato are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Shibby / Tomato

1.28.0000

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/368361 vuldb.com: https://vuldb.com/vuln/368361/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10871 vuldb.com: https://vuldb.com/submit/831857 gitee.com: https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/02-start_6rd_tunnel.md gitee.com: https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/02-start_6rd_tunnel.md

Credits

🔍 WH-YHUST (VulDB User) VulDB CNA Team