Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Server-side request forgery in Shibby Tomato 1.28 allows unauthenticated remote attackers to force the router to issue arbitrary HTTP requests via a crafted UPnP SUBSCRIBE callback URL processed by the miniupnpd daemon's send() function. The affected firmware is end-of-life with no vendor patch forthcoming; the project has been superseded by FreshTomato. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack is remotely exploitable without authentication or special conditions on reachable devices.
Technical ContextAI
The vulnerability resides in the miniupnpd daemon shipped with Shibby Tomato 1.28 - specifically the send() function within the SUBSCRIBE call handler located at usr/sbin/miniupnpd. UPnP SUBSCRIBE is a protocol mechanism by which a client registers a callback URL to receive event notifications from a UPnP device. The root cause (CWE-918: Server-Side Request Forgery) arises when the daemon's send() function forwards HTTP requests to a caller-supplied CALLBACK URL without validating or restricting the destination, allowing an attacker to direct the router to reach arbitrary internal or external HTTP endpoints. Shibby Tomato is a third-party Linux-based firmware for home/SOHO routers (based on Tomato firmware); version 1.28 is the documented affected release. No CPE strings were provided in the source data, so version scope is limited to what the description explicitly names.
RemediationAI
No vendor-released patch exists for Shibby Tomato 1.28, as the product is end-of-life and the maintainer no longer provides updates. The primary remediation is migration to FreshTomato, the actively maintained successor project, which should be evaluated for a patched miniupnpd implementation. As an immediate compensating control, UPnP should be disabled on affected devices if the feature is not operationally required - this eliminates the SUBSCRIBE attack surface entirely, though it will break any UPnP-dependent LAN clients (smart TVs, gaming consoles, etc.). If UPnP must remain enabled, network-layer controls should be applied to restrict UPnP traffic (typically UDP/TCP port 1900 and associated HTTP ports) to trusted LAN segments only, preventing external or untrusted network access to the miniupnpd listener. Firewall rules blocking outbound HTTP from the router to internal RFC 1918 ranges can partially limit SSRF pivot reach but are non-trivial to implement on affected firmware. Full hardware replacement or firmware migration remains the only durable fix.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33345
GHSA-2hxv-86mh-6c78