PatchSiren cyber security CVE debrief
CVE-2026-10870 Shibby CVE debrief
A HIGH severity vulnerability has been identified in Shibby Tomato 1.28.0000. The vulnerability, tracked as CVE-2026-10870, is caused by a flaw in the start_dhcpc function of the /sbin/rc file in the Web UI component. This flaw allows for os command injection, which can be exploited remotely. The CVSS score for this vulnerability is 7.3. The vulnerability has been publicly disclosed and an exploit has been published. Shibby Tomato is superseded by FreshTomato.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Administrators and users of Shibby Tomato 1.28.0000, as well as those using FreshTomato, should be aware of this vulnerability and take necessary precautions to mitigate the risk.
Technical summary
The vulnerability is caused by a flaw in the start_dhcpc function of the /sbin/rc file in the Web UI component of Shibby Tomato 1.28.0000. This flaw allows for os command injection, which can be exploited remotely.
Defensive priority
HIGH
Recommended defensive actions
- Update to the latest version of FreshTomato, which is not vulnerable to this issue.
- Restrict access to the Web UI component to prevent remote exploitation.
- Monitor for any suspicious activity on the affected system.
Evidence notes
The vulnerability has been publicly disclosed and an exploit has been published. The CVSS score for this vulnerability is 7.3, indicating a HIGH severity level.
Official resources
CVE-2026-10870 was published on 2026-06-04T21:16:30.220Z and modified on 2026-06-08T16:16:33.643Z.