Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.
Published: 2026-01-12
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The TinyWeb HTTP Server through version 1.98 contains an OS command injection flaw that allows an unauthenticated attacker to execute arbitrary Windows shell commands. The vulnerability arises when CGI ISINDEX‑style query parameters are passed unfiltered to the CGI executable via CreateProcess(). An attacker can inject shell metacharacters into HTTP requests, causing the server to run unintended commands with the privileges of the service process.

Affected Systems

The affected product is TinyWeb, a Delphi‑based web server for Win32 produced by maximmasiutin. Versions prior to 1.98 are impacted; all releases after 1.98 contain the fix.

Risk and Exploitability

With a CVSS score of 10.0, this flaw represents the highest level of severity. The EPSS score is below 1% and it is not listed in the KEV catalog, indicating a low current exploitation probability in the wild. Nevertheless, because the attack is remote, unauthenticated, and relies only on crafted HTTP requests, the potential impact is catastrophic: a rogue user could gain full control of the host. No special prerequisites beyond HTTP access are required, making the vulnerability highly actionable.

Generated by OpenCVE AI on April 18, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyWeb to version 1.98 or later to apply the vendor fix.
  • As an interim measure, remove or disable the CGI executable and any ISINDEX‑style query handling until an upgrade is feasible.
  • Implement network‑level controls such as a reverse proxy that blocks or sanitizes the offending CGI parameters and restricts inbound access to trusted IP ranges.

Generated by OpenCVE AI on April 18, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ritlabs
Ritlabs tinyweb
CPEs cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*
Vendors & Products Ritlabs
Ritlabs tinyweb
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximmasiutin
Maximmasiutin tinyweb
Vendors & Products Maximmasiutin
Maximmasiutin tinyweb

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98.
Title TinyWeb CGI Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Maximmasiutin Tinyweb
Ritlabs Tinyweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:50:57.979Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22781

cve-icon Vulnrichment

Updated: 2026-01-12T18:50:53.774Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:03.787

Modified: 2026-01-16T18:44:23.120

Link: CVE-2026-22781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses