How is CVE-2026-10065 exploited?

Network reachability (required): The attacker must reach the tomatodata.cgi endpoint over the network, typically the router's HTTP management interface. Authentication (required): A low-privilege account on the Tomato web UI is sufficient to invoke the vulnerable CGI handler. Victim interaction (not-required): No user action is needed; the attacker sends the crafted Date argument directly. Attack complexity (info): Attack complexity is low, meaning the overflow triggers reliably without race conditions or special environmental setup.

What is the impact of CVE-2026-10065?

Executes attacker-controlled code in the context of the router's CGI process, typically running with elevated privileges on the device. Reads any data handled by the router including stored credentials, VPN keys, and configuration secrets. Modifies firmware configuration, routing rules, and persisted settings to maintain access or pivot into the internal network. Disrupts the management interface and broader router availability, potentially knocking the device offline.

Back to search

HIGHCVE-2026-10065Published 2026-05-29Modified 2026-05-29CNA VulDB

CVE-2026-10065: Shibby Tomato tomatodata.cgi get_ups_field stack-based overflow

A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow in the get_ups_field function of tomatodata.cgi in Shibby Tomato 1.28 lets a remote, authenticated attacker corrupt the CGI process's stack by manipulating the Date argument. The router firmware is reachable over the network and only needs a low-privilege account, and successful exploitation enables full compromise of the device with attacker-controlled code execution against the web management interface. The project is no longer maintained (superseded by FreshTomato) and no fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against Shibby Tomato 1.28 in customer registries and build pipelines. Coverage extends to custom-built images that embed the affected tomatodata.cgi binary.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (High) applied automatically and weighted against each environment's compliance policy. Findings are routed to the appropriate inbox inside each customer org so router-firmware and edge-device owners see the issue first.

Available

Patch

No upstream fix exists because Shibby Tomato is end-of-life and superseded by FreshTomato, so HarborGuard re-checks the advisory each ingest cycle for any community or fork backport. The moment a patched upstream is published, a rebuilt image at the fix version becomes available, and customers with auto-remediation enabled get the rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the tomatodata.cgi endpoint over the network, typically the router's HTTP management interface.
AuthenticationRequired
A low-privilege account on the Tomato web UI is sufficient to invoke the vulnerable CGI handler.
Victim interactionNot required
No user action is needed; the attacker sends the crafted Date argument directly.
Attack complexityDetail
Attack complexity is low, meaning the overflow triggers reliably without race conditions or special environmental setup.

Blast Radius

Executes attacker-controlled code in the context of the router's CGI process, typically running with elevated privileges on the device.
Reads any data handled by the router including stored credentials, VPN keys, and configuration secrets.
Modifies firmware configuration, routing rules, and persisted settings to maintain access or pivot into the internal network.
Disrupts the management interface and broader router availability, potentially knocking the device offline.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the advisory for any community backport or FreshTomato-derived fix, with a rebuilt image made available automatically the moment an upstream patch ships. Because the maintainer has abandoned Shibby Tomato 1.28, the practical guidance is migration to FreshTomato or another supported firmware; in the meantime, compensating controls such as restricting the router management interface to a dedicated admin VLAN, blocking WAN-side access to the HTTP CGI endpoints, rotating any low-privilege web UI credentials, and adding egress filtering to limit post-exploitation pivoting reduce exposure. For environments that opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will fire as soon as a patched build exists.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Shibby / Tomato
1.28

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X

References