Skip to main content

Shibby Tomato CVE-2026-10066

| EUVDEUVD-2026-33341 HIGH
Buffer Overflow (CWE-119)
2026-05-29 cna@vuldb.com GHSA-5f6x-gjgm-pqx4
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 16:45 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to 1.28) allows authenticated remote attackers to corrupt memory in the UPS Service CGI handler, potentially leading to code execution or device compromise. The flaw resides in function sub_9068 of tomatoups.cgi and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis. Critically, this project is end-of-life - superseded by FreshTomato - so no vendor patch will be issued.

Technical ContextAI

Shibby Tomato is a community fork of the Tomato router firmware (a Linux-based replacement firmware for consumer routers, originally derived from HyperWRT). The vulnerable component is tomatoups.cgi, a CGI binary that implements the UPS (Uninterruptible Power Supply) monitoring service exposed through the router's web administration interface. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) covers the root cause class: the sub_9068 function performs an unsafe write to a fixed-size stack buffer without adequate bounds checking, allowing adjacent stack frame data - including saved return addresses - to be overwritten. On embedded MIPS/ARM router platforms typically running Tomato, classical stack smashing exploitation is often feasible because such firmware historically ships without modern mitigations like stack canaries, ASLR, or non-executable stacks.

RemediationAI

No vendor-released patch identified at time of analysis - Shibby Tomato is abandoned and the maintainer will not issue fixes. The primary remediation is to migrate affected routers to the actively maintained FreshTomato fork (https://freshtomato.org), which carries forward the Tomato lineage with ongoing security maintenance; verify after flashing that the equivalent tomatoups.cgi handler has been patched or the UPS feature is absent. As compensating controls pending migration, disable the UPS service in the router's administrative interface if not actively used (trade-off: loss of UPS monitoring/shutdown integration), restrict the web admin interface to a trusted management VLAN or specific LAN IPs via the router's firewall (trade-off: requires console/SSH for emergency access from other networks), block WAN-side access to the admin port entirely if exposed, and rotate the admin password to a strong unique value to raise the bar against the PR:L authentication prerequisite. Reference: https://vuldb.com/vuln/367152.

Share

CVE-2026-10066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy