CVE-2026-10065

Vulnerability

A stack-based buffer overflow vulnerability exists in Shibby Tomato firmware version 1.28. The flaw resides in the function get_ups_field within the file tomatodata.cgi. By manipulating the Date argument, an attacker can trigger a buffer overflow on the stack. This project is superseded by FreshTomato and is no longer supported by the maintainer. The vulnerability affects only the unsupported Shibby Tomato 1.28 release [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. The attack vector involves sending a crafted HTTP request to the tomatodata.cgi endpoint with an overly long Date parameter. The lack of proper bounds checking in get_ups_field allows the attacker-supplied data to overflow the stack buffer, potentially overwriting critical control flow data [1].

Impact

Successful exploitation leads to arbitrary code execution on the affected device. The attacker gains full control over the router's operating system, enabling actions such as installing malware, exfiltrating data, or pivoting to internal networks. The impact is high due to the remote, unauthenticated nature of the attack and the privileged context of the CGI process [1].

Mitigation

No official patch is available as Shibby Tomato 1.28 is end-of-life and no longer supported. Users are strongly advised to upgrade to FreshTomato, the actively maintained fork, which is not affected by this vulnerability. There are no known workarounds for the vulnerable firmware. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].