Description
Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Published: 2026-03-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

An unquoted service path in Small HTTP Server 3.06.36 allows a local user to place a malicious executable in a higher‑priority directory, causing the service to run that file instead of the legitimate ‘http.exe’ service file. This flaw is a local privilege escalation that enables arbitrary code execution, potentially leading to unauthorized system access or service disruption. The weakness is classified as CWE‑428, unquoted service paths.

Affected Systems

The vulnerability affects Smallsrv’s Small HTTP Server, specifically version 3.06.36. Any deployment running this or prior release versions of the server is susceptible. The vendor has released version 3.06.38 that contains the fix.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, but EPSS data is unavailable, so exploitation probability cannot be quantified. The flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploit. Attack requires local access to the machine or the ability to write files to its directory, which could be achieved through physical access or remote compromise with sufficient privileges. The patch is readily available, so systems should be updated promptly to eliminate the risk.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed in version V3.06.38.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Small HTTP Server to version 3.06.38 or later.
  • If immediate patching is not feasible, isolate the affected system from the network and restrict physical access to its file system.
  • Perform a file‑integrity check to ensure no unauthorized executables are present in the service directory.
  • Verify that the service path is correctly quoted and configured.
  • Regularly monitor for system integrity and apply future updates promptly.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Smallsrv small Http Server
CPEs cpe:2.3:a:smallsrv:small_http_server:*:*:*:*:*:*:*:*
Vendors & Products Smallsrv small Http Server
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files (x86)\shttps_mg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority directory, causing the service to execute the malicious file instead of the legitimate one. Exploiting this flaw could allow arbitrary code execution, unauthorized access to the system, or service disruption. To mitigate the risk, the service path must be properly quoted, and systems must be kept up to date with security patches, while restricting physical and network access.
Title Multiple vulnerabilities in Small HTTP server by Smallsrv
First Time appeared Smallsrv
Smallsrv small Http
Weaknesses CWE-428
CPEs cpe:2.3:a:smallsrv:small_http:3.06.36:*:*:*:*:*:*:*
Vendors & Products Smallsrv
Smallsrv small Http
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Smallsrv Small Http Small Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-26T13:37:41.179Z

Reserved: 2025-04-16T09:57:04.871Z

Link: CVE-2025-41359

cve-icon Vulnrichment

Updated: 2026-03-26T13:37:37.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T13:16:25.277

Modified: 2026-03-26T21:04:16.050

Link: CVE-2025-41359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:41Z

Weaknesses