CVE-2026-10068: SSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
A server-side request forgery (SSRF) vulnerability has been identified in Shibby Tomato version 1.28, specifically within the miniupnpd daemon's SUBSCRIBE call handler. An attacker can exploit this flaw remotely without authentication to make the affected device perform unintended network requests on their behalf. This could lead to unauthorized access to internal services, data exfiltration, or lateral movement within a network. However, the practical impact is limited since Shibby Tomato is no longer maintained, with the project having been superseded by FreshTomato.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the send function of /usr/sbin/miniupnpd within Shibby Tomato 1.28. The SUBSCRIBE call handler fails to properly validate or sanitize user-supplied input before using it to construct network requests. This classic SSRF pattern (CWE-918) allows an unauthenticated remote attacker to specify arbitrary URLs or internal IP addresses, causing the miniupnpd process to initiate connections on their behalf. The network-accessible attack vector, low complexity, and absence of required privileges or user interaction result in a CVSS 3.1 score of 7.3 (HIGH).
Business impact
Organizations running legacy Shibby Tomato deployments face potential compromise of internal network resources. An attacker could use an affected device as a pivot point to scan or attack other internal services, bypass firewall restrictions, or retrieve sensitive data from internal systems. The lack of ongoing vendor support means no security patches will be released. For environments still relying on Shibby Tomato, this vulnerability increases exposure to network-based attacks and lateral movement risks. Migration to FreshTomato or alternative router firmware is strongly recommended.
Affected systems
Shibby Tomato version 1.28 is confirmed affected. Because Shibby Tomato is no longer actively maintained (superseded by FreshTomato), affected installations are limited to legacy deployments where no updates are available. The miniupnpd component runs with elevated privileges typical of UPnP services on network devices, amplifying the impact of exploitation.
Exploitability
This vulnerability is remotely exploitable without requiring authentication, credentials, or user interaction. The attack complexity is low—exploitation requires only crafting a malicious SUBSCRIBE request with a forged callback URL. The primary barrier to widespread exploitation is that Shibby Tomato installations are concentrated among legacy and enthusiast deployments rather than mainstream commercial use. No public exploit code, proof-of-concept, or evidence of active exploitation has been reported.
Remediation
Direct patching is not possible since Shibby Tomato is unmaintained. The definitive remedy is to migrate to FreshTomato, the successor project that receives ongoing security updates and maintenance. Affected organizations should evaluate FreshTomato compatibility with their hardware and perform a controlled firmware upgrade. As an interim defensive measure, restrict UPnP-related traffic at the network perimeter and disable UPnP/miniupnpd if not operationally required.
Patch guidance
Shibby Tomato will not receive patches. Users should transition to FreshTomato, which is actively maintained and addresses security issues. Before upgrading, verify hardware compatibility on the FreshTomato project documentation and review release notes for the latest stable build. Test the new firmware in a non-production environment if possible. After upgrading, confirm that miniupnpd runs the patched version by checking the service status and version identifiers.
Detection guidance
Monitor for SUBSCRIBE requests to the miniupnpd service (typically UDP port 1900) containing suspicious or malformed callback URLs. Log and alert on UPnP subscription attempts originating from untrusted network segments. Network-based intrusion detection systems should flag SSRF-like patterns in UPnP traffic, such as requests containing internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in callback parameters. Endpoint logging on affected devices (if available) should capture miniupnpd process behavior and outbound connection attempts.
Why prioritize this
While the CVSS score is HIGH (7.3), prioritization should be tempered by the fact that Shibby Tomato is obsolete and largely confined to legacy or hobby deployments. However, organizations still running Shibby Tomato should treat this as urgent because no patches exist and the vulnerability is trivially exploitable. The combination of network accessibility, lack of authentication, and direct impact on internal network security justifies immediate migration planning. For organizations not running Shibby Tomato, this is a reminder to deprecate and replace unsupported firmware.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects a network-accessible SSRF with low attack complexity and no authentication requirements. The impact is rated as partial across confidentiality, integrity, and availability—an attacker can read internal resources, modify requests, and potentially cause denial of service through resource exhaustion. The scope is unchanged (attacker does not affect resources outside the vulnerable component's security scope). The HIGH severity is justified, though real-world risk is moderated by the small population of Shibby Tomato users.
Frequently asked questions
Is my router affected if it's running the latest version of Shibby Tomato?
If you are running Shibby Tomato version 1.28, you are affected. However, you should know that Shibby Tomato is no longer maintained; the project ended and was superseded by FreshTomato. If you are running any version of Shibby Tomato, you are not receiving security updates and should migrate to FreshTomato or another actively maintained alternative as soon as possible.
What can an attacker do with this vulnerability?
An attacker can make your router perform network requests to arbitrary destinations on their behalf. This allows them to scan internal networks, access services running on localhost or internal IP addresses, retrieve sensitive data, or attack other devices on your network. The attacker does not need credentials or physical access—they only need to send a crafted UPnP SUBSCRIBE request over the network.
I'm still running Shibby Tomato. What should I do immediately?
Prioritize migration to FreshTomato, which is actively maintained and receives security updates. Verify that FreshTomato is compatible with your router hardware, back up your current configuration, and plan a firmware upgrade in a maintenance window. As a temporary mitigation, disable UPnP/miniupnpd if you do not rely on it, and restrict UPnP traffic at your network perimeter or firewall.
Does FreshTomato fix this vulnerability?
FreshTomato is the actively maintained successor to Shibby Tomato and receives ongoing security updates. A migration to FreshTomato will move you away from the vulnerable Shibby Tomato codebase. However, verify the FreshTomato release notes and security advisories to confirm that miniupnpd and related components have been patched for SSRF and other known issues.
This analysis is based on published CVE data and vendor advisories available as of the modification date. Shibby Tomato is no longer maintained; users should consult the FreshTomato project for current security guidance. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific environment, asset inventory, and network configuration. Patch version numbers and specific remediation steps should be verified against official vendor advisories before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-44285HIGHFastGPT SSRF Vulnerability in Dataset Preview Endpoint
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk