HIGH 8.8

CVE-2026-10065: Shibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi

Shibby Tomato 1.28 contains a stack-based buffer overflow vulnerability in the UPS data retrieval function of its web interface. An authenticated attacker can manipulate the Date parameter to overflow a buffer on the stack, potentially executing arbitrary code on the affected device. Since Shibby Tomato is no longer maintained and has been superseded by FreshTomato, this vulnerability affects legacy installations that have not migrated to the actively supported successor.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10065 is a stack-based buffer overflow in the get_ups_field function within tomatodata.cgi in Shibby Tomato 1.28. The vulnerability stems from insufficient input validation on the Date parameter, allowing an authenticated attacker to craft a request that writes beyond the bounds of a stack-allocated buffer. This results in memory corruption that can be leveraged for code execution with the privileges of the web server process. The attack surface is the network interface; authentication is required, meaning the attacker must have valid credentials or exploit a secondary unauthenticated vector to reach this endpoint.

Business impact

Organizations running unsupported Shibby Tomato instances face runtime compromise risk. Successful exploitation grants an authenticated attacker the ability to execute arbitrary code on the router or embedded device, potentially leading to complete device takeover, lateral network movement, data exfiltration, or persistent backdoor installation. For enterprises with legacy networking equipment still using Shibby Tomato, this vulnerability presents a significant threat if those devices are accessible to compromised user accounts or connected to untrusted networks. The end-of-life status of Shibby Tomato means no vendor security updates will be released.

Affected systems

This vulnerability affects Shibby Tomato version 1.28. Since Shibby Tomato is no longer actively maintained, any deployment of this firmware version remains vulnerable. The project has been superseded by FreshTomato, which interested users should consider for continued support and security patches. Devices running Shibby Tomato are typically embedded network appliances, routers, or specialized networking hardware.

Exploitability

The vulnerability requires authentication to trigger, which raises the bar compared to unauthenticated remote code execution. However, the attack complexity is low—once authenticated, the exploit is straightforward input manipulation without race conditions or other timing requirements. The network vector and the prevalence of weak or reused credentials in embedded device deployments mean that authenticated access is often achievable through password spray, credential stuffing, or compromise of a user account. Exploitation directly results in privilege escalation and system compromise with high impact (confidentiality, integrity, and availability).

Remediation

The definitive remediation is to upgrade from Shibby Tomato 1.28 to FreshTomato, the actively maintained successor project. FreshTomato provides ongoing security updates and maintenance. If immediate migration is not feasible, implement network segmentation to restrict access to the affected device only to trusted users and systems. Review user credentials for accounts with access to the web interface and enforce strong passwords. Additionally, monitor for exploitation attempts targeting tomatodata.cgi, particularly requests with anomalous Date parameter values. As a defense-in-depth measure, run the device on an isolated VLAN with minimal necessary connections.

Patch guidance

Shibby Tomato is no longer receiving vendor updates. The only supported remediation path is to migrate to FreshTomato. Consult the FreshTomato project documentation and release notes for installation procedures specific to your hardware. Verify compatibility before deploying, as FreshTomato support may vary by device model. Test in a non-production environment first. For organizations unable to migrate immediately, apply the network isolation and credential hardening measures outlined in the remediation section.

Detection guidance

Monitor HTTP logs for requests to tomatodata.cgi with Date parameter values that are abnormally long, contain binary or non-ASCII characters, or include obvious buffer overflow patterns (repeated character sequences). Correlate such requests with authentication logs to identify which accounts are being targeted. Set up IDS/IPS rules to flag requests to this endpoint with oversized parameters. In environments where Shibby Tomato is still deployed, enable verbose logging on the web server process if available and review access logs regularly. Additionally, use file integrity monitoring on the device firmware and configuration to detect unauthorized modifications indicative of successful exploitation.

Why prioritize this

Despite the authentication requirement, this vulnerability warrants prompt attention because: (1) it provides direct remote code execution with high impact, (2) Shibby Tomato's end-of-life status means no patches will ever be issued, and (3) embedded network devices often have weak or default credentials that are readily compromised. The CVSS 3.1 score of 8.8 (HIGH) reflects the confluence of these factors. Organizations should prioritize identifying any remaining Shibby Tomato deployments and scheduling migration to FreshTomato or decommissioning the devices.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vulnerability with low attack complexity, requiring low-privilege user authentication, that results in complete compromise of confidentiality, integrity, and availability (CIS). While authentication is mandatory, the scope remains unchanged (affecting only the vulnerable component), and the impact metrics are at maximum. The high score appropriately reflects the severity in an end-of-life product where no patches are forthcoming and exploitation can lead to full system compromise.

Frequently asked questions

Is this vulnerability actively being exploited in the wild?

There is no indication in the CISA Known Exploited Vulnerabilities catalog that this vulnerability is currently weaponized or seeing active exploit activity. However, the presence of functional exploits is possible given the straightforward nature of the vulnerability, and the lack of KEV status does not eliminate exploitation risk—it warrants continued monitoring and swift mitigation for any affected deployments.

What is the difference between Shibby Tomato and FreshTomato?

FreshTomato is the community-maintained successor to Shibby Tomato. It provides active development, security updates, and broader hardware support. Shibby Tomato has been superseded and no longer receives maintenance or security patches. Organizations using Shibby Tomato should plan a migration to FreshTomato to maintain security and receive ongoing vendor support.

Can I remediate this vulnerability without replacing the firmware?

No permanent remediation is possible without upgrading to a patched version or moving to FreshTomato. Temporary mitigation measures include network segmentation, strict access control to the web interface, strong credential policies, and continuous monitoring for exploitation attempts. However, these do not eliminate the vulnerability—they only reduce exposure until migration is complete.

Does this vulnerability affect FreshTomato?

FreshTomato is the successor project to Shibby Tomato and is actively maintained. While this specific vulnerability was identified in Shibby Tomato 1.28, FreshTomato development has addressed many legacy issues. Verify the FreshTomato release notes and advisories to confirm the status of this particular flaw in that codebase, and prioritize deploying the latest stable release.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and severity ratings are provided by the National Vulnerability Database and do not constitute legal liability assessment. Organizations should conduct their own risk analysis specific to their infrastructure, configurations, and threat landscape. Patch version numbers and availability should be verified directly with FreshTomato project documentation and release notes. This advisory does not constitute legal, financial, or security consulting advice. SEC.co recommends engaging qualified security professionals to assess the impact and remediation strategy for your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).