Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).
Published: 2026-02-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion, caused by unbounded Content-Length handling.
Action: Immediate Patch
AI Analysis

Impact

TinyWeb, a Delphi‑based HTTP/HTTPS server, allows an unauthenticated attacker to trigger a denial of service by sending a POST request whose Content‑Length header is exceptionally large. The server streams the incoming payload into memory without enforcing a maximum limit, allocating memory continuously for the body until system memory is exhausted and the process terminates. The weakness aligns with CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Allocation of Unbounded Resources).

Affected Systems

All hosts running TinyWeb versions earlier than 2.02 are vulnerable. The affected vendor is maximmasiutin (TinyWeb). The security advisory specifies that any deployment of TinyWeb before the 2.02 release is impacted.

Risk and Exploitability

The flaw achieves remote denial of service; no authentication is required. The CVSS base score is 8.7, indicating high severity. EPSS indicates a very low exploitation probability (<1 %), and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known large‑scale attacks yet. Nevertheless, the remote attacker can easily send the crafted POST request to cause the server to crash, disrupting services until a reboot or reimplementation occurs.

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyWeb to version 2.02 or later, which implements a 10 MB maximum entity body size.
  • If an immediate upgrade is not possible, apply the patch from the referenced commit that introduces the CMaxEntityBodySize limit.
  • Configure a front‑end WAF or reverse proxy such as nginx or Cloudflare to enforce a lower maximum request body size (e.g., client_max_body_size) to block oversized POST requests before they reach TinyWeb.

Generated by OpenCVE AI on April 17, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Ritlabs
Ritlabs tinyweb
Weaknesses CWE-770
CPEs cpe:2.3:a:ritlabs:tinyweb:*:*:*:*:*:*:*:*
Vendors & Products Ritlabs
Ritlabs tinyweb
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximmasiutin
Maximmasiutin tinyweb
Vendors & Products Maximmasiutin
Maximmasiutin tinyweb

Wed, 25 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).
Title TinyWeb has Unbounded Content-Length Memory Exhaustion (DoS)
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Maximmasiutin Tinyweb
Ritlabs Tinyweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:51:43.475Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27633

cve-icon Vulnrichment

Updated: 2026-02-26T16:51:37.138Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:24.130

Modified: 2026-02-28T01:00:49.873

Link: CVE-2026-27633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses