PatchSiren cyber security CVE debrief
CVE-2026-10873 Shibby CVE debrief
A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-05
Who should care
Users of Shibby Tomato 1.28.0000, administrators of networks using this software, and security teams monitoring for potential command injection attacks.
Technical summary
The vulnerability, CVE-2026-10873, is an OS command injection issue in the rstats_path function of the /bin/rstats file within the Web UI component of Shibby Tomato 1.28.0000. This allows remote attackers to execute OS commands, posing a significant risk. The CVSS score for this vulnerability is 7.3, indicating a high severity level.
Defensive priority
High
Recommended defensive actions
- Upgrade to FreshTomato or another secure alternative.
- Restrict access to the Web UI component.
- Implement additional security measures to monitor and prevent OS command injection attacks.
Evidence notes
The vulnerability has been publicly disclosed and may be utilized. References include [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-10873 was published on 2026-06-04T23:16:48.843Z and modified on 2026-06-05T20:17:14.127Z.