CVE-2026-10873: OS Command Injection in Shibby Tomato 1.28.0000 Web UI
Shibby Tomato 1.28.0000 contains a command injection vulnerability in its web interface that allows authenticated administrators to execute arbitrary operating system commands. The vulnerability exists in the rstats_path function within the /bin/rstats component. Because exploit code has been publicly disclosed, the risk of active exploitation is elevated. Note that this project has been superseded by FreshTomato, and users should verify their upgrade path accordingly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-77, CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10873 is an OS command injection vulnerability (CWE-77, CWE-78) in Shibby Tomato 1.28.0000's web UI. The rstats_path function in /bin/rstats fails to properly sanitize user-supplied input before passing it to system command execution. The vulnerability requires high privilege (administrator authentication) but presents no user interaction requirement. An authenticated attacker can inject shell metacharacters to break out of intended command boundaries and execute arbitrary commands with the privileges of the web service. The CVSS 3.1 score of 7.2 (HIGH) reflects the high impact across confidentiality, integrity, and availability, tempered by the requirement for prior authentication.
Business impact
Compromise of a Shibby Tomato instance by an authenticated administrator (or by an attacker who has obtained administrative credentials) could lead to full system takeover. An attacker could read sensitive configuration files, modify firewall rules, redirect traffic, or use the compromised router as a pivot point into the network. For organizations relying on Shibby Tomato in production environments, this represents a critical insider risk and a post-authentication escalation vector. The disclosure of exploit code increases the likelihood of opportunistic attacks against exposed instances.
Affected systems
Shibby Tomato version 1.28.0000 is confirmed affected. Earlier and later versions require verification against the vendor advisory. Users should check the official Shibby Tomato project documentation for a complete version list; note that this project is superseded by FreshTomato, and organizations should assess whether they have already migrated or plan to migrate to the successor project.
Exploitability
The vulnerability requires authentication as an administrator, which moderately restricts the attack surface in well-secured networks. However, the public disclosure of exploit code and the straightforward nature of command injection (no complex constraints or bypass techniques needed) mean that any attacker with valid high-privilege credentials or who has phished/compromised such credentials poses an immediate threat. The remote network-accessible nature of the web UI means no physical access or VPN is strictly necessary if the interface is exposed to the internet or an untrusted network segment.
Remediation
Upgrade to a patched version of Shibby Tomato once available from the vendor, or migrate to FreshTomato if that aligns with your organization's roadmap. In the interim, restrict administrative access to the web UI to trusted networks or VPNs, disable the web interface if not actively needed, and implement strong administrator credential hygiene (unique, complex passwords; multi-factor authentication where available). Monitor firewall logs and web UI access logs for suspicious activity.
Patch guidance
Consult the official Shibby Tomato project repository and release notes for patched versions addressing CVE-2026-10873. Verify the specific version number against the vendor advisory before deployment. Given that Shibby Tomato is superseded by FreshTomato, evaluate whether upgrading to FreshTomato is the intended migration path for your environment, and test any migration in a non-production setting first. Coordinate patching with network stability requirements.
Detection guidance
Monitor /bin/rstats and the web UI access logs for requests to the rstats_path function containing shell metacharacters (|, ;, &, $(), backticks, etc.) or unusual parameter values. Inspect web server logs (if available) for POST/GET requests with suspicious payloads to web UI endpoints. Use endpoint detection and response (EDR) tools to detect unexpected child process spawning from the web service process, particularly commands that deviate from normal administrative tasks. Correlate web UI access logs with unexpected system command execution.
Why prioritize this
Although this vulnerability requires authentication, the publicly disclosed exploit code, the HIGH CVSS score, and the wide-ranging impact on confidentiality, integrity, and availability warrant prioritization. Organizations with Shibby Tomato deployed should treat this as a near-term remediation target, especially if the web UI is exposed to untrusted networks or if there is any risk of administrator credential compromise. The fact that the project is superseded also creates urgency around migration planning.
Risk score, explained
The CVSS 3.1 score of 7.2 reflects a HIGH-severity vulnerability: remote network access, low attack complexity, and high impact across all three security dimensions (C, I, A). The requirement for high-privilege authentication (PR:H) prevents a higher score; however, post-authentication command injection is a critical capability that can lead to complete system compromise. In practical terms, organizations should not deprioritize this based solely on the authentication requirement—credential compromise or insider threats make this a substantial risk.
Frequently asked questions
Does this affect FreshTomato?
The advisory specifies Shibby Tomato 1.28.0000. FreshTomato is a separate successor project. Consult FreshTomato's security advisories and release notes to confirm whether this specific CVE or a similar vulnerability affects that codebase.
What if we cannot patch immediately?
Implement network-level access controls to restrict administrative access to the web UI from trusted networks only. Disable the web interface if it is not actively required. Enforce strong, unique administrator passwords and enable any available multi-factor authentication. Monitor logs closely for suspicious activity.
Is this actively being exploited in the wild?
The advisory indicates that exploit code has been publicly disclosed. While the CVE is not (yet) on the CISA Known Exploited Vulnerabilities (KEV) catalog, public disclosure substantially increases the likelihood of opportunistic attacks. Assume hostile actors have access to the technical details.
What is the difference between Shibby Tomato and FreshTomato?
FreshTomato is the successor project to Shibby Tomato. If you are currently running Shibby Tomato, verify your organization's upgrade roadmap. Migration may be warranted not only for this CVE but also for ongoing security maintenance and feature updates.
This analysis is provided for informational purposes and should not be considered legal or professional security advice. Organizations must verify all patch versions and upgrade paths against official vendor advisories before deployment. CVSS scores and vulnerability classifications are based on the provided metadata and should be validated against the official CVE record. The supersession of Shibby Tomato by FreshTomato requires verification of each organization's migration and support status. Security teams should conduct their own risk assessment based on their specific environment, asset inventory, and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler
- CVE-2026-10870HIGHShibby Tomato 1.28.0000 OS Command Injection Vulnerability
- CVE-2026-10871HIGHShibby Tomato Remote Command Injection via IPv6 6rd Parameter
- CVE-2026-10872HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10279MEDIUMOS Command Injection in wezterm-mcp 0.1.0
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows