cbcvebase.

Maximmasiutin Tinyweb vulnerabilities

6 known vulnerabilities affecting maximmasiutin/tinyweb.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-22781P2CRITICALCVSS 9.8fixed in 1.982026-01-12
CVE-2026-22781 [CRITICAL] CWE-78 CVE-2026-22781: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before versio TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary
nvd
CVE-2026-27613P2CRITICALCVSS 9.8fixed in 2.012026-02-25
CVE-2026-27613 [CRITICAL] CWE-78 CVE-2026-27613: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact is either source code disclosure or remote code exec
nvd
CVE-2026-28497P2CRITICALCVSS 9.1fixed in 2.032026-03-06
CVE-2026-28497 [CRITICAL] CWE-190 CVE-2026-28497: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypa
nvd
CVE-2026-29046P3HIGHCVSS 8.2fixed in 2.042026-03-06
CVE-2026-29046 [HIGH] CWE-20 CVE-2026-29046: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb ac TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables (HTTP_*). The parser did not strictly reject dangerous control characters in header lines and header values, including CR, LF, and NUL, and did not consistently defend against
nvd
CVE-2026-27630P3HIGHCVSS 7.5fixed in 2.022026-02-26
CVE-2026-27630 [HIGH] CWE-400 CVE-2026-27630: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 ar TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can
nvd
CVE-2026-27633P3HIGHCVSS 7.5fixed in 2.022026-02-26
CVE-2026-27633 [HIGH] CWE-400 CVE-2026-27633: TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 ha TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates me
nvd
Maximmasiutin Tinyweb vulnerabilities | cvebase