Skip to main content

Shibby Tomato CVE-2026-10069

| EUVDEUVD-2026-33347 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-29 cna@vuldb.com GHSA-55h4-63gw-7vcm
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 16:46 vuln.today

DescriptionCVE.org

A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Remote denial-of-service in Shibby Tomato 1.28 firmware allows unauthenticated network attackers to exhaust resources via the miniupnpd UPnP daemon at usr/sbin/miniupnpd. The affected project is end-of-life and superseded by FreshTomato, meaning no upstream fix will be issued. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high availability impact with no authentication or user interaction required.

Technical ContextAI

Shibby Tomato is a community-maintained fork of the Tomato router firmware for consumer SOHO routers, now discontinued in favor of FreshTomato. The vulnerable component, miniupnpd, is the MiniUPnP daemon that implements UPnP IGD and NAT-PMP services typically exposed on the LAN interface to allow LAN clients to request port mappings on the router. CWE-400 (Uncontrolled Resource Consumption) indicates the daemon fails to properly bound memory, CPU, connection, or mapping-table usage when processing crafted requests, allowing an attacker to drive the process or device into exhaustion. Because miniupnpd often runs as a privileged long-lived service on the router, its degradation directly impacts routing and NAT functionality for all clients behind the device.

RemediationAI

No vendor-released patch identified at time of analysis, and none will be issued because Shibby Tomato is end-of-life. The primary remediation is to migrate affected routers to the actively maintained FreshTomato successor firmware (https://freshtomato.org), which inherits and continues development of the Tomato codebase and should be reviewed to confirm whether its bundled miniupnpd is a newer, fixed version. As compensating controls until migration, disable the UPnP/NAT-PMP service entirely in the router's administrative interface (trade-off: LAN applications such as gaming consoles, BitTorrent, and some VoIP clients that rely on automatic port mapping will need manual port forwarding); ensure miniupnpd is not bound to the WAN interface (trade-off: none for typical deployments, as WAN-side UPnP is already considered insecure); and segment untrusted LAN devices such as IoT onto a separate VLAN that cannot reach the router's UPnP listener (trade-off: increased network configuration complexity). Track the issue via https://vuldb.com/vuln/367155 for any further disclosure details.

Share

CVE-2026-10069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy