CVE-2026-10871
HIGHCVSS v3.1: 7.2
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.2 v3.1 · NVD
- EPSS
- EPSS not provided by FIRST.org for this CVE
- CISA KEV
- No
- Type
- Command Injection, OS Command Injection · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo user interaction · Source: NVD Vector
- Published
- 2026-06-04 · Modified: 2026-06-04
- References
- Jump to references (6)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Vendor advisory https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories…
- Vendor advisory https://gitee.com/WH-YHUST/tomato-rc-nvram-cve/blob/master/gitee-cve-disclosure/advisories…
- Reference https://vuldb.com/cve/CVE-2026-10871
- Reference https://vuldb.com/submit/831857
- Reference https://vuldb.com/vuln/368361
- Reference https://vuldb.com/vuln/368361/cti