CVE-2026-10068
Server-Side Request Forgery in Shibby Tomato 1.28
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shibby_tomato | 1.28 | * |
| shibby | tomato | 1.28 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes an information disclosure through an out-of-bounds read, leaking heap memory and adjacent message data to an unauthorized subscriber. Such exposure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
However, the vulnerability is limited to LAN-side unauthenticated event-subscription interfaces when UPnP is enabled, and the callback host is constrained to the requester's own IPv4 address, reducing the attack surface. There is no evidence of WAN-side exploitation or remote code execution.
Given that the affected product is no longer supported by the maintainer and the vulnerability involves exposure of sensitive information, organizations using this product may face increased risk of non-compliance with standards that mandate protection of sensitive data.
Can you explain this vulnerability to me?
CVE-2026-10068 is an information disclosure vulnerability found in Shibby Tomato firmware version 1.28, specifically in the miniupnpd component's SUBSCRIBE callback handling function.
The flaw occurs because the code uses the return value of snprintf() as the length of data to send without verifying if the formatted string fits within the allocated buffer size. This can cause the send() function to transmit data beyond the intended buffer, leaking unintended heap memory and adjacent message data to an attacker-controlled subscriber.
The vulnerability is triggered when a sufficiently long callback URI is used, causing an out-of-bounds read and exposure of sensitive information to an unauthorized actor.
The attack surface is limited to LAN-side unauthenticated event-subscription interfaces when UPnP is enabled, and the callback host is restricted to the requester's own IPv4 address.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive information from the device's heap memory to an attacker who can subscribe to events via the UPnP interface.
An attacker on the local network can exploit this flaw to receive unintended memory contents, which may include sensitive data.
There is no evidence that this vulnerability allows remote code execution, arbitrary server-side request forgery, or memory corruption.
However, the exposure of sensitive information could be leveraged for further attacks or reconnaissance within the local network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or malformed NOTIFY requests sent by the miniupnpd daemon on affected Shibby Tomato 1.28 devices. Specifically, look for NOTIFY messages containing unexpectedly large callback URIs or leaked heap memory data beyond the expected buffer size.
Since the attack involves sending a long callback URI (e.g., around 900 bytes) to trigger the memory disclosure, you can detect attempts by capturing and analyzing UPnP event-subscription traffic on the LAN side.
Suggested commands include using network packet capture tools such as tcpdump or Wireshark to filter and inspect UPnP NOTIFY messages:
- tcpdump -i <interface> -s 0 -w upnp_notify.pcap 'udp and (port 1900 or port 5000)'
- Use Wireshark to open the capture file and filter for NOTIFY requests with unusually long callback URIs or unexpected data beyond the normal buffer size.
Additionally, monitoring logs or debugging output from the miniupnpd daemon for errors related to snprintf() return values exceeding buffer sizes may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling UPnP event-subscription services on affected Shibby Tomato 1.28 devices if possible, especially on the LAN side where the attack surface exists.
If disabling UPnP is not feasible, restrict access to the UPnP event-subscription interface to trusted hosts only, to prevent unauthenticated attackers from sending malicious callback URIs.
Other suggested mitigations involve patching or upgrading the firmware to a version that addresses this vulnerability. Since Shibby Tomato 1.28 is no longer supported and superseded by FreshTomato, consider migrating to FreshTomato or another supported firmware.
From a code or configuration perspective, the following mitigations are recommended:
- Reject callback URIs that exceed the allocated buffer size before processing.
- Validate the return value of snprintf() against the buffer size before sending data.
- Dynamically size the NOTIFY buffer based on the callback URI length or clamp the callback length before persistence.