HarborGuard / CVE
Back to search
HIGHCVE-2026-10066Published Modified CNA VulDB

CVE-2026-10066: Shibby Tomato UPS Service tomatoups.cgi sub_9068 stack-based overflow

A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the sub_9068 function of tomatoups.cgi in the UPS Service component of Shibby Tomato through version 1.28. The flaw is reachable over the network and requires a low-privilege account, and a successful exploit lets the attacker corrupt the service's stack memory to read sensitive memory, tamper with router state, or crash the service. The project is end-of-life (superseded by FreshTomato) and no fix has been published, so HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle Shibby Tomato or its tomatoups.cgi binary.

Available
Triage

Triage is available with the published CVSS v4 score of 8.7 (High), weighted against each customer's compliance policy so end-of-life router firmware images can be escalated more aggressively, and routed to the appropriate inbox inside each customer org.

Available
Patch

Because no upstream fix exists and the project is no longer supported, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is published; in the meantime, environments with auto-remediation enabled receive guidance on migrating affected workloads to the FreshTomato successor.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the tomatoups.cgi endpoint over the network (AV:N).

  • AuthenticationRequired

    A low-privilege account on the device is sufficient to invoke the vulnerable function (PR:L).

  • Victim interactionNot required

    No user action is needed; the attacker triggers the overflow directly (UI:N).

  • Attack complexityDetail

    Attack complexity is low, so the exploit is reliable and free of timing or environmental preconditions (AC:L).

Blast Radius

  • Reads stack memory and adjacent process data from the UPS Service, exposing credentials and router configuration.
  • Overwrites the call stack to alter UPS Service control flow and tamper with router state.
  • Crashes tomatoups.cgi and disrupts UPS monitoring on the affected router.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the advisory for any upstream fix, with the patched-image rebuild surfaced automatically the moment one is published. Because Shibby Tomato is end-of-life, compensating-control suggestions are offered for affected environments, including network-policy isolation of the router management interface, egress filtering to block reachability of tomatoups.cgi from untrusted networks, and guidance on migrating to the maintained FreshTomato successor. For customers who opt into auto-remediation, a rebuild, regression run, and PR against affected workloads will be generated as soon as a fixed upstream version exists.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Shibby / Tomato
    1.0 · 1.1 · 1.2 · 1.3 · 1.4 · 1.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X
References