A vulnerability was found in Shibby Tomato 1.28.0000 . It has been rated as critical . This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI . Performing a manipulation results in os command injection. This vulnerability is identified as CVE-2026-10872 . The attack can be initiated remotely. Additionally, an exploit exists. This project is superseded by FreshTomato.