Home

Description

A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-05 | Assigner VulDB




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
HIGH: 7.2CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
8.3AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR

Problem types

OS Command Injection

Command Injection

Product status

1.28.0000
affected

Timeline

2026-06-04:Advisory disclosed
2026-06-04:VulDB entry created
2026-06-04:VulDB entry last update

Credits

WH-YHUST (VulDB User) reporter

VulDB CNA Team coordinator

References

gitee.com/...gitee-cve-disclosure/advisories/en/05-rstats.md exploit

vuldb.com/vuln/368363 (VDB-368363 | Shibby Tomato Web UI rstats rstats_path os command injection) vdb-entry technical-description

vuldb.com/vuln/368363/cti (VDB-368363 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10873 (CVE-2026-10873 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/831867 (Submit #831867 | Tomato Tomato by Shibby 1.28.0000 MIPSR2-124 K26 USB Big-VPN command injection) third-party-advisory

vuldb.com/submit/831866 (Submit #831866 | Tomato Tomato by Shibby 1.28.0000 MIPSR2-124 K26 USB Big-VPN command injection (Duplicate)) third-party-advisory

gitee.com/...gitee-cve-disclosure/advisories/en/05-rstats.md related

gitee.com/...gitee-cve-disclosure/advisories/zh/05-rstats.md broken-link exploit

cve.org (CVE-2026-10873)

nvd.nist.gov (CVE-2026-10873)

Download JSON