CVE-2026-15546

Summary

A security flaw has been discovered in Shibby Tomato up to 1.28.0000. Affected by this issue is the function sub_2D568 of the component start_jffs2. Performing a manipulation of the argument jffs2_exec results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This project is superseded by FreshTomato.

Affected Software

VendorProductVersion RangeStatus
ShibbyTomato1.0affected
ShibbyTomato1.1affected
ShibbyTomato1.2affected
ShibbyTomato1.3affected
ShibbyTomato1.4affected
ShibbyTomato1.5affected
ShibbyTomato1.6affected
ShibbyTomato1.7affected
ShibbyTomato1.8affected
ShibbyTomato1.9affected
ShibbyTomato1.10affected
ShibbyTomato1.11affected
ShibbyTomato1.12affected
ShibbyTomato1.13affected
ShibbyTomato1.14affected
ShibbyTomato1.15affected
ShibbyTomato1.16affected
ShibbyTomato1.17affected
ShibbyTomato1.18affected
ShibbyTomato1.19affected
ShibbyTomato1.20affected
ShibbyTomato1.21affected
ShibbyTomato1.22affected
ShibbyTomato1.23affected
ShibbyTomato1.24affected
ShibbyTomato1.25affected
ShibbyTomato1.26affected
ShibbyTomato1.27affected
ShibbyTomato1.28.0000affected

Weaknesses

  • CWE-78: OS Command Injection
  • CWE-77: Command Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References