Skip to main content

Shibby Tomato CVE-2026-10068

| EUVDEUVD-2026-33345 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 cna@vuldb.com GHSA-2hxv-86mh-6c78
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 16:54 vuln.today

DescriptionCVE.org

A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Server-side request forgery in Shibby Tomato 1.28 allows unauthenticated remote attackers to force the router to issue arbitrary HTTP requests via a crafted UPnP SUBSCRIBE callback URL processed by the miniupnpd daemon's send() function. The affected firmware is end-of-life with no vendor patch forthcoming; the project has been superseded by FreshTomato. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack is remotely exploitable without authentication or special conditions on reachable devices.

Technical ContextAI

The vulnerability resides in the miniupnpd daemon shipped with Shibby Tomato 1.28 - specifically the send() function within the SUBSCRIBE call handler located at usr/sbin/miniupnpd. UPnP SUBSCRIBE is a protocol mechanism by which a client registers a callback URL to receive event notifications from a UPnP device. The root cause (CWE-918: Server-Side Request Forgery) arises when the daemon's send() function forwards HTTP requests to a caller-supplied CALLBACK URL without validating or restricting the destination, allowing an attacker to direct the router to reach arbitrary internal or external HTTP endpoints. Shibby Tomato is a third-party Linux-based firmware for home/SOHO routers (based on Tomato firmware); version 1.28 is the documented affected release. No CPE strings were provided in the source data, so version scope is limited to what the description explicitly names.

RemediationAI

No vendor-released patch exists for Shibby Tomato 1.28, as the product is end-of-life and the maintainer no longer provides updates. The primary remediation is migration to FreshTomato, the actively maintained successor project, which should be evaluated for a patched miniupnpd implementation. As an immediate compensating control, UPnP should be disabled on affected devices if the feature is not operationally required - this eliminates the SUBSCRIBE attack surface entirely, though it will break any UPnP-dependent LAN clients (smart TVs, gaming consoles, etc.). If UPnP must remain enabled, network-layer controls should be applied to restrict UPnP traffic (typically UDP/TCP port 1900 and associated HTTP ports) to trusted LAN segments only, preventing external or untrusted network access to the miniupnpd listener. Firewall rules blocking outbound HTTP from the router to internal RFC 1918 ranges can partially limit SSRF pivot reach but are non-trivial to implement on affected firmware. Full hardware replacement or firmware migration remains the only durable fix.

Share

CVE-2026-10068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy