CVE-2026-10068
Deferred Deferred - Pending Action
Server-Side Request Forgery in Shibby Tomato 1.28

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulDB

Description
A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-10068
EUVD
EUVD-2026-33345
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shibby_tomato 1.28 *
shibby tomato 1.28
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10068 is an information disclosure vulnerability found in Shibby Tomato firmware version 1.28, specifically in the miniupnpd component's SUBSCRIBE callback handling function.

The flaw occurs because the code uses the return value of snprintf() as the length of data to send without verifying if the formatted string fits within the allocated buffer size. This can cause the send() function to transmit data beyond the intended buffer, leaking unintended heap memory and adjacent message data to an attacker-controlled subscriber.

The vulnerability is triggered when a sufficiently long callback URI is used, causing an out-of-bounds read and exposure of sensitive information to an unauthorized actor.

The attack surface is limited to LAN-side unauthenticated event-subscription interfaces when UPnP is enabled, and the callback host is restricted to the requester's own IPv4 address.

Impact Analysis

This vulnerability can lead to the disclosure of sensitive information from the device's heap memory to an attacker who can subscribe to events via the UPnP interface.

An attacker on the local network can exploit this flaw to receive unintended memory contents, which may include sensitive data.

There is no evidence that this vulnerability allows remote code execution, arbitrary server-side request forgery, or memory corruption.

However, the exposure of sensitive information could be leveraged for further attacks or reconnaissance within the local network.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or malformed NOTIFY requests sent by the miniupnpd daemon on affected Shibby Tomato 1.28 devices. Specifically, look for NOTIFY messages containing unexpectedly large callback URIs or leaked heap memory data beyond the expected buffer size.

Since the attack involves sending a long callback URI (e.g., around 900 bytes) to trigger the memory disclosure, you can detect attempts by capturing and analyzing UPnP event-subscription traffic on the LAN side.

Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter and inspect UPnP NOTIFY messages:

  • tcpdump -i <interface> -s 0 -w upnp_notify.pcap 'udp and (port 1900 or port 5000)'
  • Use Wireshark to open the capture file and filter for NOTIFY requests with unusually long callback URIs or unexpected data beyond the normal buffer size.

Additionally, monitoring logs or debugging output from the miniupnpd daemon for errors related to snprintf() return values exceeding buffer sizes may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include disabling UPnP event-subscription services on affected Shibby Tomato 1.28 devices if possible, especially on the LAN side where the attack surface exists.

If disabling UPnP is not feasible, restrict access to the UPnP event-subscription interface to trusted hosts only, to prevent unauthenticated attackers from sending malicious callback URIs.

Other suggested mitigations involve patching or upgrading the firmware to a version that addresses this vulnerability. Since Shibby Tomato 1.28 is no longer supported and superseded by FreshTomato, consider migrating to FreshTomato or another supported firmware.

From a code or configuration perspective, the following mitigations are recommended:

  • Reject callback URIs that exceed the allocated buffer size before processing.
  • Validate the return value of snprintf() against the buffer size before sending data.
  • Dynamically size the NOTIFY buffer based on the callback URI length or clamp the callback length before persistence.
Compliance Impact

This vulnerability causes an information disclosure through an out-of-bounds read, leaking heap memory and adjacent message data to an unauthorized subscriber. Such exposure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

However, the vulnerability is limited to LAN-side unauthenticated event-subscription interfaces when UPnP is enabled, and the callback host is constrained to the requester's own IPv4 address, reducing the attack surface. There is no evidence of WAN-side exploitation or remote code execution.

Given that the affected product is no longer supported by the maintainer and the vulnerability involves exposure of sensitive information, organizations using this product may face increased risk of non-compliance with standards that mandate protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart