PatchSiren cyber security CVE debrief
CVE-2026-10871 Shibby CVE debrief
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Shibby Tomato 1.28.0000, particularly those with remote access to the Web UI, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by improper handling of the ipv6_6rd_borderrelay argument in the start_6rd_tunnel function of /sbin/rc. This allows for OS command injection, enabling remote attackers to execute arbitrary commands.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates from the vendor, if available.
- Use secure communication protocols to protect against remote exploitation.
- Limit access to the Web UI to trusted users and networks.
- Consider migrating to FreshTomato, as Shibby Tomato is superseded.
Evidence notes
The CVE-2026-10871 vulnerability has a CVSS score of 7.3 and is classified as HIGH severity. The vulnerability is related to CWE-77 and CWE-78.
Official resources
CVE-2026-10871 was published on 2026-06-04T22:16:52.063Z and modified on 2026-06-05T13:26:15.113Z.