Skip to main content

Shibby Tomato CVE-2026-15547

| EUVDEUVD-2026-43317 LOW
OS Command Injection (CWE-78)
2026-07-13 VulDB GHSA-fv5c-8924-mvcw
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

OS command injection on router firmware yields full device compromise; PR:L reflects required low-privilege auth confirmed by CVSS 4.0 input vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 13, 2026 - 09:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 09:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 13, 2026 - 09:05 vuln.today
CVE Published
Jul 13, 2026 - 08:30 cve.org
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This project is superseded by FreshTomato.

AnalysisAI

OS command injection in Shibby Tomato firmware up to 1.28.0000 allows authenticated remote attackers to execute arbitrary commands on the underlying router OS by manipulating the cifs1 or cifs2 arguments passed to the CIFS Mount Handler function sub_2D048. A publicly available proof-of-concept exploit exists on Gitee, lowering the barrier to exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege router credentials
Delivery
Authenticate to Shibby Tomato web interface
Exploit
Craft malicious cifs1/cifs2 parameter with shell metacharacters
Execution
Submit HTTP request to CIFS Mount Handler
Persist
sub_2D048 passes unsanitized input to OS shell
Impact
Execute arbitrary commands on router

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum low-privilege authenticated access to the Shibby Tomato web management interface (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L) scores 5.3 (Medium), but this appears to understate real-world impact for OS command injection on router firmware, where arbitrary code execution commonly equates to full device compromise including credential exposure, persistent backdoor installation, and pivot capability into the LAN. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials to the Shibby Tomato web interface (e.g., via credential guessing, phishing, or a shared password) submits a crafted HTTP request to the CIFS mount configuration endpoint, embedding shell metacharacters in the cifs1 or cifs2 parameter. The unsanitized input is passed directly to a system call in sub_2D048, executing arbitrary OS commands on the router as a privileged user. …
Remediation No patch will be released for Shibby Tomato as the project is end-of-life and superseded by FreshTomato; the primary remediation is to migrate to FreshTomato or another actively maintained firmware (e.g., OpenWRT, DD-WRT) that receives security updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomato

View all
CVE-2026-10124 HIGH POC
7.4 May 30

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to 1.28) allows remote attackers to corrupt me

CVE-2026-15545 HIGH POC
7.4 Jul 13

Out-of-bounds write in the Shibby Tomato router firmware (versions up to and including 1.28.0000) lets authenticated rem

CVE-2026-15544 HIGH POC
7.4 Jul 13

Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the

CVE-2026-10873 HIGH POC
7.3 Jun 04

OS command injection in Shibby Tomato 1.28.0000 firmware allows authenticated remote attackers to execute arbitrary oper

CVE-2026-10870 HIGH POC
7.3 Jun 04

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitra

CVE-2026-10872 HIGH POC
7.3 Jun 04

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitra

CVE-2026-10871 HIGH POC
7.3 Jun 04

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitra

CVE-2013-7379 MEDIUM POC
6.8 May 16

The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a s

CVE-2026-15548 HIGH
7.4 Jul 13

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, l

CVE-2026-15546 LOW POC
2.1 Jul 13

OS command injection in Shibby Tomato router firmware through version 1.28.0000 allows low-privileged remote attackers t

Share

CVE-2026-15547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy