Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2026-10873 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-10873

CVE-2026-10873

HIGH8.6

Shibby Tomato Web UI rstats rstats_path os command injection

Published Jun 4, 2026

Modified 2 weeks ago

Details

A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

References

https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/en/05-rstats.md

https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories/zh/05-rstats.md

https://vuldb.com/cve/CVE-2026-10873

https://vuldb.com/submit/831866

https://vuldb.com/submit/831867

https://vuldb.com/vuln/368363

https://vuldb.com/vuln/368363/cti

https://www.cve.org/CVERecord?id=CVE-2026-10873

CVSS Analysis

CVSS v4.0

8.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

HighVA:H

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

8.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Weakness Type (CWE)

Injection

OS Command Injection

Input Validation

Command Injection

Ecosystems

Timeline

PublishedJun 4, 2026

ModifiedJun 5, 2026