CVE-2026-10873
Shibby Tomato Web UI rstats rstats_path os command injection
CVSS Score
7.2
EPSS Score
0.1%
EPSS Percentile
32th
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
| CWE | CWE-78 CWE-77 |
| Vendor | shibby |
| Product | tomato |
| Published | Jun 4, 2026 |
| Last Updated | Jun 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for shibby tomato
Be the first to know when new high vulnerabilities affecting shibby tomato are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Shibby / Tomato
1.28.0000
References
vuldb.com: https://vuldb.com/vuln/368363 vuldb.com: https://vuldb.com/vuln/368363/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10873 vuldb.com: https://vuldb.com/submit/831867 vuldb.com: https://vuldb.com/submit/831866 gitee.com: https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md gitee.com: https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.md
Credits
๐ WH-YHUST (VulDB User) VulDB CNA Team