CVE-2026-15544
Received Received - Intake

Stack-Based Buffer Overflow in Shibby Tomato apcupsd

Vulnerability report for CVE-2026-15544, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was determined in Shibby Tomato up to 1.28.0000. Affected is the function getupsvar of the file www/apcupsd/tomatodata.cgi of the component apcupsd. This manipulation of the argument Field causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shibby tomato to 1.28.0000 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15544 is a stack-based buffer overflow vulnerability found in the Tomato by Shibby firmware, specifically affecting the apcupsd CGI programs including tomatodata.cgi, tomatoups.cgi, and multimon.cgi.

The flaw exists in the getupsvar() function, where an unbounded sscanf call with the "%s" format writes unlimited input bytes into a fixed 64-byte stack buffer without checking the size limits. The buffer size parameter is ignored.

The data causing this overflow comes from the apcupsd daemon's TCP response on port 3551, affecting many UPS status fields. This vulnerability can be exploited remotely on the LAN side when remote UPS monitoring is configured.

Exploitation can cause crashes (SIGSEGV) and potentially allow remote code execution by overwriting the program counter with attacker-controlled data.

Impact Analysis

This vulnerability can lead to denial of service through application crashes caused by the stack-based buffer overflow.

More critically, it may allow an attacker to execute arbitrary code remotely on the affected device by controlling the program counter, potentially leading to full system compromise.

Since the attack surface is on the LAN side when remote UPS monitoring is enabled, attackers within the local network could exploit this vulnerability to disrupt services or gain unauthorized access.

Detection Guidance

This vulnerability affects the apcupsd CGI programs in Shibby Tomato firmware, specifically the getupsvar() function which processes TCP responses from the apcupsd daemon on port 3551.

To detect this vulnerability on your network or system, you can monitor traffic on TCP port 3551 for suspicious or malformed responses from the apcupsd daemon that might trigger the buffer overflow.

Since the vulnerability involves unbounded sscanf calls in the CGI scripts, you can also check the version of the Tomato firmware to see if it is up to 1.28.0000, which is affected.

Specific commands to detect or test this vulnerability are not explicitly provided in the resources, but you might consider using network monitoring tools like tcpdump or Wireshark to capture traffic on port 3551, for example:

  • tcpdump -i <interface> port 3551

Additionally, you could attempt to emulate or simulate the attack using a controlled apcupsd server sending crafted responses to the vulnerable CGI scripts to observe crashes or abnormal behavior.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the apcupsd monitoring service on TCP port 3551, especially from untrusted LAN or WAN sources.

Since the vulnerability is in Shibby Tomato firmware up to version 1.28.0000, upgrading to a newer firmware version such as FreshTomato, which supersedes Shibby Tomato, is recommended.

Limiting or disabling remote UPS monitoring functionality that uses the vulnerable CGI programs (tomatodata.cgi, tomatoups.cgi, multimon.cgi) can reduce the attack surface.

Applying network-level controls such as firewall rules to block or restrict access to port 3551 can help prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15544. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart