PatchSiren cyber security CVE debrief
CVE-2026-15545 Shibby CVE debrief
A vulnerability was identified in Shibby Tomato up to 1.28.0000, affecting the function main of the file www/apcupsd/tomatodata.cgi in the apcupsd component, leading to out-of-bounds write. The attack may be launched remotely. This project is superseded by FreshTomato. Users should review and apply patches. Evidence is limited to CVE and NVD details. Defenders should verify affected product deployments and review official advisories with caution due to limited source information.
- Vendor
- Shibby
- Product
- Tomato
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of Shibby Tomato up to 1.28.0000, particularly those managing or securing affected deployments, should review and apply patches for the apcupsd component. Security teams and vulnerability management teams should prioritize this due to the remote attack possibility.
Technical summary
The vulnerability is caused by an out-of-bounds write in the main function of www/apcupsd/tomatodata.cgi in the apcupsd component of Shibby Tomato up to 1.28.0000. The attack may be launched remotely, and the CVSS score is 7.4, classified as HIGH. The CVE record was published on 2026-07-13T09:16:24.043Z and has not been modified since. Limited evidence suggests defenders should verify affected deployments exist and review official advisories.
Defensive priority
High priority due to remote attack possibility and high CVSS score of 7.4. Immediate review and patching are recommended.
Recommended defensive actions
- Review and apply patches for the affected component apcupsd in Shibby Tomato up to 1.28.0000
- Restrict access to the affected file www/apcupsd/tomatodata.cgi
- Monitor for suspicious activity related to the component apcupsd
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-13T09:16:24.043Z and has not been modified since. The NVD entry is currently Received. Evidence is limited to CVE and NVD details. Defenders should verify affected product deployments and review official advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T09:16:24.043Z and has not been modified since.